Komply with AI
Dashboard
Info Gathering
Control Monitoring
RACM Generator
Deficiency Memo
Testing Automation
Reporting
Control Narrative
AI Chatbot
Integrations
CO
C. Officer
user@kpmg.com
Toggle Sidebar
Control Narrative
Settings
Generate Control Narrative
Answer the questions below to generate a detailed control narrative.
Control Information
Control
Control Owner
Control Frequency
1. Timing and SLA
How frequent is the review?
The review is conducted on a quarterly basis, within 15 days of quarter-end.
How long does the review take to perform?
The end-to-end process, from list generation to access removal, is completed within 30 days of the review's initiation.
2. Documentation
How is the review documented?
The review is documented in a dedicated Jira ticket.
How is completion of the review evidenced?
Completion is evidenced by the resolution of the Jira ticket with a 'Done' status.
How are changes requested evidenced?
Changes are evidenced by comments within the Jira ticket (e.g., 'Retain', 'Remove') and attachments of the reviewed user lists.
3. List Reviewed
How is the user listing generated? What is the source system?
The user listing is generated from the production database of the 'Finance System' via a standard SQL script.
Is the report standard or customized?
The report is a standard, built-in report within the system.
Are there any filters applied to the report(s)?
No filters are applied. The raw, complete user listing is reviewed.
How does the reviewer ensure the list is complete and accurate?
The reviewer performs a reconciliation by comparing the user count in the report to the user count in the system's administration dashboard.
Are report generation screenshots/queries retained?
Screenshots of the report generation parameters and the resulting report are attached to the Jira ticket.
Who generates the report?
The report is generated by a member of the IT Operations team.
4. Scope of the Review
Are all roles/users/groups reviewed?
All users with active accounts, including administrators, standard users, and service accounts, are reviewed.
If not, what was excluded and why?
No user groups are excluded from the review.
5. Reviewers
Who is responsible for performing the primary review?
The primary reviewer is the designated business owner of the system.
How is segregation of duties maintained?
The reviewer cannot review their own access. If the primary reviewer is on the user list, their access is reviewed and approved by their direct manager, who acts as the secondary reviewer. This is documented in a separate email attached to the ticket.
Who performs the final review and sign-off?
The primary reviewer is also responsible for the final review and sign-off.
What makes the reviewer(s) appropriate?
The reviewer is qualified as they are the system's business owner and have an understanding of the appropriate access levels required for different job roles.
6. Corrective Items/Changes Requested
How are corrective actions completed post-review?
Access removals are processed via a separate service request ticket by the IT Operations team. The primary reviewer tracks the removal ticket to ensure it is completed within the 5-day SLA.
How are the performed changes evidenced and retained?
A post-removal screenshot from the system's admin console is attached to the main Jira ticket as evidence.
Is an impact analysis performed for inappropriate access?
If inappropriate access is discovered, a formal impact analysis is initiated by the security team to review the user's activity logs during the period of unauthorized access.
Generate Narrative