Over 80% of Fortune 500 companies use SharePoint for workforce collaboration, content management, and critical business applications. Yet few understand how it is deployed or make regular assessment of their SharePoint environment part of their audit plan. Clients store sensitive data in SharePoint but do not secure it. At least 36% of surveyed SharePoint users are breaching security policies and gaining information to sensitive, confidential information that they are not entitled to access. And, 79% of those surveyed said their organisations stored sensitive data in a SharePoint environment, but only 18 percent said they prevented access through the use of technical controls.

Clients are using SharePoint as a business application and therefore, it should be assessed as part of an Internal Audit program as such. With the increasing flexibility and extensibility of the platform, business users are creating SharePoint-based applications to support business functions. Without proper Governance and Security plans in place, many of these systems are created without the awareness of IT or Audit. Examples of recent client discoveries include:

• Employee On-boarding and Off-boarding: Processes that manage user permission changes, thus granting and removing access.
• Vendor Management: Solutions that manage the entire vendor management lifecycle. This includes the vendor identification, risk assessment, contracting, and payment activities.
• Change Requests: Applications that manage changes to the firewall, ERP, and other critical systems.
• Incident Management: Systems that track operational activity that may introduce a compliance risk