Uncovering Common Audit Risks in PeopleSoft

4 min read

PeopleSoft is a popular enterprise resource planning (ERP) system used by many organizations to manage their business operations. With its wide range of functionalities, PeopleSoft has become an integral part of many companies’ day-to-day processes. However, as with any other system, PeopleSoft is not immune to potential risks and vulnerabilities.

In this article, we will discuss five common audit risks in PeopleSoft and how organizations can leverage Sentinel to help address them.  

1. Inactive Employees with Active Accounts 

When an employee leaves an organization, it is essential to deactivate their accounts promptly. However, in large organizations with a high turnover rate, it can be challenging to keep track of all the accounts and deactivate them in a timely manner. This poses a significant risk as inactive employees can still access sensitive information and make unauthorized changes.

To mitigate this risk, organizations should have proper controls in place to ensure that accounts are deactivated immediately after an employee leaves. Sentinel features a User Hub, which is a consolidated list of users from all PeopleSoft environments. It provides a centralized way to view and manage accounts across all environments, including one-click access to lock one, some, or all of the user’s accounts. 

User Hub, Lock Accounts

2. De-provisioning Roles 

In addition to deactivating user accounts, it is also crucial to de-provision any roles or privileges granted to employees. Often, employees are granted access to roles that are no longer necessary for their current job responsibilities, and this access can go unnoticed. This leaves the door open for unauthorized access and increases the risk of misusing sensitive financial information.

Dynamic Security is an automation tool within Sentinel that can automatically assign and remove roles based on job information. This saves administrators time with routine security tasks and ensures a proper de-provisioning process is in place at the organization. Dynamic security jobs can be created within the system to align with a variety of criteria. Plus, Sentinel also tracks all completed dynamic jobs, including which users were updated. 

Dynamic Security in Sentinel

3. Privileged Access Pages

PeopleSoft allows for different levels of access to various functions and pages based on an employee's role. However, there is also the possibility of granting privileged access to certain pages, which can be used to bypass controls and make unauthorized changes. This risk is more significant for administrators who have access to all pages and functions in the system.

One way to combat this risk is to restrict access to critical functions and pages. This means limiting the number of employees who have access to these features to minimize the risk of unauthorized changes or manipulations. Additionally, organizations should conduct regular reviews of privileged access to administration controls, pages, and other important processes. 

To make this process easier and more efficient, Sentinel offers a report that allows for thorough audits of privileged access in PeopleSoft. It’s equipped with best-practice controls that can be easily tailored to meet the specific reporting needs of your organization. The Privileged Access Report is readily available and tracks the progress of reviews, including the number of users reviewed, those who require remediation, and those who have not yet been reviewed. This helps organizations maintain better control over access to critical functions and pages and ensures that any potential vulnerabilities are identified and addressed in a timely manner. 

Privileged Access Report in Sentinel

4. Sensitive Data Fields - PII/PCI

PeopleSoft contains a wealth of sensitive financial information, including personally identifiable information (PII) and payment card information (PCI). Any unauthorized access to this data can lead to identity theft and financial fraud, causing significant repercussions for both the organization and its customers.

Organizations should have strict access controls in place, allowing only authorized employees to access sensitive data fields. It is also essential to regularly review and monitor access to these fields and promptly remediate any unnecessary access.

Sentinel provides a summary audit report of users with access to PII/PCI data in PeopleSoft. Like the other audit reports, the Sensitive Data Report is readily available and tracks the progress of reviews, including the number of users, those requiring remediation, and those not yet reviewed. Within the system, you can easily manage the Pages, Tables, and Fields for the sensitive data reports or choose to use the delivered sensitive data controls.  

Sensitive Data Report in Sentinel

5. Segregation of Duty Controls

Segregation of duties is a fundamental principle of internal control, and it ensures that no single employee has control over all aspects of a financial process. In PeopleSoft, this can be achieved through proper role and permission assignments. However, granting employees access to conflicting roles can lead to potential errors, compliance issues, or even fraudulent activity.

Organizations can use Sentinel to review SOD conflicts. The clickable report showcases the number of users with access to source and conflict control pages, those requiring remediation, and those not yet reviewed. The software is delivered with best-practice SOD controls, which can easily be configured to suit individual reporting requirements. 

Segregation of Duties Report in Sentinel

To learn more about how Sentinel enhances visibility for addressing typical auditing challenges in PeopleSoft, contact a member of our team today.