Global Technology Audit Guide (GTAG) 9: Identity and Access Management
In order to efficiently conduct day-to-day business, many organizations rely on identity access management. This guide outlines internal audit role in developing strategy and implementing controls.
Identity access management systems (IAM) help organizations manage electronic identities, using automated processes to initiate, capture, record and manage user identities and their related access permissions. Poor or loosely controlled IAM processes may lead to organizational regulatory noncompliance and an inability to determine whether company data is being misused.
The chief audit executive (CAE) should be involved in development of the organization's IAM strategy. The CAE brings a unique perspective on how IAM processes can increase the effectiveness of access controls while also providing greater visibility for auditors into the operation of these controls.
The purpose of this GTAG is to provide insight into what IAM means to an organization and to suggest internal audit areas for investigation. In addition to involvement in strategy development, the CAE has a responsibility to ask both business and IT management what IAM processes are currently in place and how they are being administered. While this document is not to be used as the definitive resource for IAM, it can assist CAEs and other internal auditors to understand, analyze, and monitor their organization's IAM processes.
This document is also available in paperback
Prepared by The Institute of Internal Auditors (The IIA), each Global Technology Audit Guide (GTAG) is written in straightforward business language to address a timely issue related to information technology (IT) management, control, and security. The GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended practices.
Item Number: 10.6304