GTAG 9 - Identity and Access Management
Download this guide (members only): English (PDF, 1MB) ; Spanish (800KB); French (813KB)
Purchase from The IIA Research Foundation Bookstore
Rate this guide

Identity and access management (IAM) is a cross-functional process that helps organizations to manage who has access to what information over a period of time. Poor or loosely controlled IAM processes may lead to organizational regulatory noncompliance and an inability to determine whether company data is being misused.

Chief audit executives (CAEs) should be involved in the development of the organization's IAM strategy as well as evaluate the implementation of the strategy and effectiveness of companywide access controls. The purpose of this GTAG is to provide insight into what IAM means to an organization and to suggest internal audit areas for investigation. It can assist CAEs and other internal auditors to understand, analyze, and monitor their organization's IAM processes. A checklist for IAM review is also included in this guide.

TABLE OF CONTENTS
1. Executive Summary
2. Introduction
2.1 Business Drivers
2.2 Identity and Access Management Concepts
2.3 Adoption Risks
3. Definition of Key Concepts
3.1 Identity Management vs. Entitlement Management
3.2 Identity and Access Management Components
3.3 Access Rights and Entitlements
3.4 Provisioning Process
3.5 Administration of Identities and Access Rights Process
3.6 Enforcement Process
3.7 Use of Technology in IAM
4. The Role of Internal Auditors
4.1 Current IAM Processes
4.2 Auditing IAM
Appendix A: IAM Review Checklist
Appendix B: Additional Information

Project Leader
Sajay Rai, Ernst & Young LLP

Authors
Frank Bresz, Ernst & Young LLP : : Tim Renshaw, Ernst & Young LLP
Jeffrey Rozek, Ernst & Young LLP : : Torpey White, Goldenberg Rosenthal LLP

Questions for the authors about this guide? E-mail guidance@theiia.org.