GTAG9 - The Institute of Internal Auditors

GTAG 9 - Identity and Access Management
Identity and access management (IAM) is a cross-functional process that helps organizations to manage who has access to what information over a period of time. This process is used to initiate, capture, record, and manage the user identities and related access permissions to the organization's proprietary information. Poor or loosely controlled IAM processes may lead to organizational regulatory noncompliance and an inability todetermine whether company data is being misused.

Chief audit executives (CAEs) should be involved in the development of the organization's IAM strategy as well as evaluate the implementation of the strategy and effectiveness of companywide access controls. The purpose of this GTAG is to provide insight into what IAM means to an organization and to suggest internal audit areas for investigation. It can assist CAEs and other internal auditors to understand, analyze, and monitor their organization's IAM processes. A checklist for IAM review is also included in this guide.

Table of Contents
1. Executive Summary...................................................................................... 1

2. Introduction..................................................................................................... 2
2.1 Business Drivers.......................................................................................... 2
2.2 Identity and Access Management Concepts........................................... 3
2.3 Adoption Risks.............................................................................................. 4

3. Definition of Key Concepts........................................................................... 5
3.1 Identity Management vs. Entitlement Mana.............................................. 6
3.2 Identity and Access Management Comp.................................................. 6
3.3 Access Rights and Entitlements................................................................ 6
3.4 Provisioning Process................................................................................... 7
3.5 Administration of Identities and Access Rights Process...................... 9
3.6 Enforcement Process................................................................................. 10
3.7 Use of Technology in IAM........................................................................... 10

4. The Role of Internal Auditors...................................................................... 12
4.1 Current IAM Processes............................................................................... 12
4.2 Auditing IAM................................................................................................... 14

Appendix A: IAM Review Checklist................................................................ 17
Appendix B: Additional Information............................................................... 22
Glossary............................................................................................................... 23

About the Authors.............................................................................................. 24

Download a free copy of GTAG 9: Identity and Access Management (PDF, 1MB)
Purchase printed version.

Project Leader
Sajay Rai, Ernst & Young LLP

Authors
Frank Bresz, Ernst & Young LLP
Tim Renshaw, Ernst & Young LLP
Jeffrey Rozek, Ernst & Young LLP
Torpey White, Goldenberg Rosenthal LLP

Quick Search Advanced Search Site Map IIA Popular Pages CIA Exam Content CFSA Individual Memberships Code of Ethics Information Technology		Home / Professional Guidance / Information Technology / GTAG / GTAG9 GTAG 9 - Identity and Access Management Identity and access management (IAM) is a cross-functional process that helps organizations to manage who has access to what information over a period of time. This process is used to initiate, capture, record, and manage the user identities and related access permissions to the organization's proprietary information. Poor or loosely controlled IAM processes may lead to organizational regulatory noncompliance and an inability todetermine whether company data is being misused. Chief audit executives (CAEs) should be involved in the development of the organization's IAM strategy as well as evaluate the implementation of the strategy and effectiveness of companywide access controls. The purpose of this GTAG is to provide insight into what IAM means to an organization and to suggest internal audit areas for investigation. It can assist CAEs and other internal auditors to understand, analyze, and monitor their organization's IAM processes. A checklist for IAM review is also included in this guide. Table of Contents 1. Executive Summary...................................................................................... 1 2. Introduction..................................................................................................... 2 2.1 Business Drivers.......................................................................................... 2 2.2 Identity and Access Management Concepts........................................... 3 2.3 Adoption Risks.............................................................................................. 4 3. Definition of Key Concepts........................................................................... 5 3.1 Identity Management vs. Entitlement Mana.............................................. 6 3.2 Identity and Access Management Comp.................................................. 6 3.3 Access Rights and Entitlements................................................................ 6 3.4 Provisioning Process................................................................................... 7 3.5 Administration of Identities and Access Rights Process...................... 9 3.6 Enforcement Process................................................................................. 10 3.7 Use of Technology in IAM........................................................................... 10 4. The Role of Internal Auditors...................................................................... 12 4.1 Current IAM Processes............................................................................... 12 4.2 Auditing IAM................................................................................................... 14 Appendix A: IAM Review Checklist................................................................ 17 Appendix B: Additional Information............................................................... 22 Glossary............................................................................................................... 23 About the Authors.............................................................................................. 24 Download a free copy of GTAG 9: Identity and Access Management (PDF, 1MB) Purchase printed version. Project Leader Sajay Rai, Ernst & Young LLP Authors Frank Bresz, Ernst & Young LLP Tim Renshaw, Ernst & Young LLP Jeffrey Rozek, Ernst & Young LLP Torpey White, Goldenberg Rosenthal LLP		Global Technology Audit Guides (GTAG^®) Guide 1 Guide 2 Guide 3 Guide 4 Guide 5 Guide 6 Guide 7 Guide 8 Guide 9 IT Resources Review some of the latest IT Resources available for IT auditing. GAIT Project Learn more about the ongoing IT auditing guidance project known as the Guide to the Assessment of ITGeneral Controls Scope Based on Risk (GAIT). Information Technology