IT Audit - The Institute Of Internal Auditors  


Vol. 10, December 10, 2007
printPrint Article
printPrint Entire Issue

Tech Practices Update

Here is the latest technology news from The Institute of Internal Auditors (The IIA):


The Institute Releases New Guide on Identity and Access Management

Properly identifying who has access to what information over a period of time is an important aspect of an organization's day-to-day work. Known as identity and access management (IAM), this process touches every part of the organization — from accessing a facility's front door to retrieving corporate financial data. To help chief audit executives (CAEs) and internal auditors understand an organization's IAM activities, The IIA recently released Identity and Access Management as part of its Global Technology Audit Guide (GTAG) series. Written in straightforward business language, each GTAG serves as a ready resource for CAEs and internal auditors on different technology-associated risks related to IT management, control, and security.

"Because identity access and management affects every business unit, internal auditors should understand ways that organizations can control access more effectively," says Sajay Rai, CISSP, CISM, partner in Ernst & Young LLP's Risk Advisory Services Practice and leader of the team who wrote the guide. "The purpose of this GTAG is to provide insight into what identity and access management means to an organization and to suggest internal audit areas for investigation."

As the guide explains, IAM processes are used to initiate, capture, record, and manage the user identities and related access permissions to a company's proprietary information. Therefore, as part of their work, auditors need to play an important role in helping organizations develop effective IAM processes and monitor their implementation. For instance, prior to conducting an IAM audit, auditors need to understand the organization's existing IAM structure, such as the company's business architecture and IAM policies, as well as the laws, regulations, and mandates for which compliance is necessary. When conducting the audit, internal auditors need to document the organization's identity and entitlement process and evaluate existing IAM activity controls.

Besides describing how to go about auditing IAM activities, the guide provides an IAM review checklist auditors can use during the audit. The guide also defines key IAM concepts and activities, such as:

  • Main business drivers for identity and access management (i.e., improved regulatory compliance, operating efficiencies, transparency, and user satisfaction; reduced information security risk and IT operating and development costs; and increased effectiveness of key business initiatives).
  • Different areas IAM strategies should address (i.e., who has access to what information, the appropriateness of the access level based on the job being performed, and whether access activities are being monitored, logged, and reported appropriately).
  • Risks that need to be examined and understood as the organization implements new or modified IAM processes (i.e., organization complacency, participation, planning, communication, incorporation of all IT systems into the process, making the process too weak, process complexity, and lack of enforcement).
  • Different IAM components (i.e., identity types, onboarding, and offboarding), as well as the access rights, entitlement, and provisioning processes.
  • How to administer identities, the access rights process, and enforce IAM activities.
  • The proper use of technology in IAM.

"As an organization changes, so too should its use of identity and access management activities," Rai comments. "Therefore, as changes take place, management should be cautious that the process does not become too unwieldy and unmanageable or expose the organization to undue risk due to improper use of IT assets. As part of their work, internal auditors need to ask business and IT management what identity and access management processes are currently in place and how they are being administered."

To read or download Identity and Access Management, visit The IIA's GTAG page.

Rate this article!
Extremely relevant    6    5    4    3    2    1    Not relevant
Extremely useful    6    5    4    3    2    1    Not useful