Far beyond technology: it's time to review invisible processes

With the SAP implementation completed and the access structure established, the next challenge was evident. How to sustain this new scenario with robust processes that take into account organizational dynamics and audit requirements?

It was in this context that we began a deep dive into IAM flows and general IT controls. The proposal was not just to validate whether policies were documented, but to understand how access was granted, revoked and reviewed in practice. Throughout this journey, we reveal 21 real risks, map 20 critical vulnerabilities and transform those learned into 26 structured recommendations.

What we found: operational gaps and silent risks

The granting of access was also due to subjective criteria, with a strong dependence on e-mails, spreadsheets and the judgment of managers. The history of “copying accesses” without validation generated conflicts and SoD violations that went unnoticed.

On the other hand, the revocation followed a manual flow, based on HR communication. In cases of internal transfers, the old permissions remained active, creating a silent accumulation of risks. When evaluating the periodic review of accesses, we noted low frequency and little prioritization for criticality.

In addition, aspects such as the lack of segregation in change management, the manual control of physical access to servers and the absence of a consolidated log path showed how much the ITGC controls needed to evolve.

Translating diagnosis into solution: the roadmap in two waves

To address the vulnerabilities found, we structured a practical roadmap divided into two implementation fronts: priority improvements and medium-term strategic actions.

Among the immediate actions, the implementation of workflows with segregated approval, the integration with the HR system for automatic revocation, the automatic validation of SoD at the time of provisioning and the control of privileged access via PAM stand out.

In the second wave, which lasts up to 12 months, are the automation of access review, continuous identity monitoring, the formalization of SLAs for backup and recovery, as well as the detailing of ITGC documentation.

Impact: from manual control to fluid and scalable governance

The gains of the project were practical and immediate. IAM began to operate with automated processes, traceable and more aligned with the needs of the business. Today, the organization has greater control over who has access to what, why and until when.

In the field of ITGC, documentation has become more accurate, logs have been consolidated and continuous monitoring now allows rapid detection of abnormal behavior. Governance has ceased to be an intuition and has become a structured, reliable and auditable system.

Conclusion: access governance is a cycle, not a project

The review of the IAM and ITGC processes represented the third stage of a journey of transformation that does not stop. By transforming manual processes into intelligent flows and anticipating operational risks based on data, this company has created the conditions for living access governance.

This is not just conformity. It is safety, efficiency and preparation for the future. And if your organization is going through something similar, it is worth understanding how this roadmap can be adapted to your reality.

Do you want to understand how to apply this same model of evolution in IAM and ITGC in your company? Our time can show you how to adapt best practices to your business context.

Talk to a Vennx specialist.

‍