What is the risk in having active users who have left an organisation in a single sign on application? Specifically where such users have been deactivated in the AD in a single sign on application.
top of page
Our forum has been created to help both current and future auditors from around the world to connect and collaborate. Our forum is not moderated, but we do ask that everyone follows these simple rules.
bottom of page
Hello! Just to make sure we have understood this correctly. A user has been deactivated in the Active Directory (AD), yet they are still deemed active users within specific systems? For instance, they are active in the financial accounting system, but deactivated from the AD and single sign on?
From experience, this is still a risk. Many systems still allow users to sign on without single sign on. Additionally, it would mean there is a control breakdown in the process. Why are they being deactivated in only the AD, but not subsequent systems? Shouldn't these all be linked / deactivated as part of the same process?
i think there is significant risk here and a decent breakdown of controls which should be investigated further.