Vendor Access to Development and Production

January 19, 2015 Ryan Buckner

If we require assistance from a vendor to have developer access to production how is that treated during the audit?

If the access is temporary in nature, it could be treated the same way you would treat any vendor for a particular service, (e.g. generator inspector, sensitive document shredding vendor, data center badge access software vendor, etc.).

In other words, it is common and acceptable for vendors to assist in an organization’s control environment. You would simply have them be subject to your established vendor management practices, sign appropriate forms that may be required, then allow them to perform what you have contracted/engaged them to do. When the project or issue is complete, you would revoke their authorization / access and review their tasks – in a timely manner.

If their access will be long standing (not tied to a specifically defined project or support issue), then most organizations have the same process in place for temporary access, but with additional monitoring controls.

About the Author

Ryan Buckner

Ryan Buckner is a Principal at Schellman & Company. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC 1 and SOC 2 examinations. Having completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.

More Content by Ryan Buckner
Previous Article
Audit Preparation: How Beneficial Are Internal Kick-off Meetings?
Audit Preparation: How Beneficial Are Internal Kick-off Meetings?

Internal Kick-off meetings help with audit preparation for an organization that is about to undergo an exam...

Next Article
Schellman to Exhibit at the Federal Cloud Computing Summit
Schellman to Exhibit at the Federal Cloud Computing Summit

×

First Name
!
Success
Error - something went wrong!