Many companies have the policy to lock the users who are not using the system after a certain number of days, usually 60 days or 90 days. But this is a manual process and has inherent audit SAP risk because it is irregular at best. The audit SAP risk of leaving the dormant user in the system can be any combination of the following:
- The User may have left the company but still trying to access the system
- Other people may copy the access of the dormant users
- When the dormant user returns, the proper approval may be lacking to get that person the correct access
- The unlocked user costs the company a license cost even though he is not productive in the system
- Some of the users may be using the system intermittently and they may be locked without any forewarning