I'm auditing a control for Sarbanes-Oxley purposes, which makes the following assertion:
"...newly hired, and temporary (contract) employees are granted a basic set of network privileges. Access in excess of these pre-defined privileges are granted only upon receipt of a valid approved request."
I would like to know where to look in order to ascertain the initial (or current) privileges for any given user. This will allow me to evaluate those privileges against the standard, and determine whether they exceed what should be given by default. Then, I can look further to determine whether the privileges in excess of the default have been specifically approved, as the control requires.
Are there multiple places I should look to determine current network privileges? Dates those privileges were granted would be equally helpful, in that they would help me as I try to locate evidence that the additional privileges were appropriately authorized. I'm going to have lots more questions like this over the next few days, so the more specific your guidance is, the more helpful I'll find it.