Identity and access management (IAM) is a cross-functional process to manage who has access to what information over time. This process is used to initiate, capture, record, and manage the user identities and related access permissions to the organization's proprietary information.
Poor or loosely controlled IAM processes may lead to organizational regulatory noncompliance and an inability to determine whether company data is being misused.
The CAE should be involved in development of the organization's IAM strategy. The CAE brings a unique perspective on how IAM processes can increase the effectiveness of access controls while also providing greater visibility for auditors into the operation of these controls.
The purpose of this GTAG is to provide insight into what IAM means to an organization and to suggest internal audit areas for investigation. In addition to involvement in strategy development, the CAE has a responsibility to ask both business and IT management what IAM processes are currently in place and how they are being administered. While this document is not to be used as the definitive resource for IAM, it can assist CAEs and other internal auditors to understand, analyze, and monitor their organization's IAM processes.
This document is also available in PDF
Prepared by The Institute of Internal Auditors (The IIA), each Global Technology Audit Guide (GTAG) is written in straightforward business language to address a timely issue related to information technology (IT) management, control, and security. The GTAG series serves as a ready resource for chief audit executives on different technology-associated risks and recommended practices.