Identity Audit Applications Streamline User Access Reviews

Auditors can harness a new generation of tools to provide assurance on compliance with access privileges and permissions.

Bob Glithero, CPA

Legislative mandates regarding data privacy, including the U.S. Health Insurance Portability and Accountability Act, the Graham-Leach-Bliley Act, and the new European Union Data Protection Directive, have pushed organizations to improve controls and protections over sensitive information in their care. Ensuring that user access rights to systems and data conform to defined and documented business needs is a critical part of an effective identity assurance program, particularly in combating security threats from insiders.

By examining user rights, access privileges, management approvals, and related information, internal auditors can validate user access to sensitive systems and applications. Unfortunately, this examination frequently involves excessive manual tracking, with auditors reviewing segregation of duties tables, access approvals and control lists, and activity logs to trace user activity back to approved permissions.

Recent identity-centric reporting applications provide an opportunity to streamline the review process. These tools highlight which user has access to specific applications and systems, facilitate policy-based access reviews, and enable a census of user activity in a time frame comparable to selecting and testing a sample of activity.

Analysts such as The Gartner Group have defined a new category of identity audit (IdA) applications that increase assurance that the organization has a reliable method to detect failures of user access compliance. The purpose of IdA applications is to help organizations identify differences between user permissions and user access activity.

IdA applications generally operate by loading lists of user rights from repositories such as Windows Server Active Directory, importing and aggregating user access data from systems and application activity logs into a centralized data store, and using pattern-matching algorithms to correlate user identities across various logs and compare user access activity to user rights. The application then presents access policy exceptions on a report or dashboard.

IdA tools represent a distinct category from identity management (IdM) software, which automates controls over provisioning of user access privileges. Although IdM tools are effective for the problem they are designed to solve, they are poorly suited to the needs of auditors and other reviewers because they do not report on actual user access activity and policy exceptions. In fact, IdM applications typically do not track user activity at all and therefore lack the critical information needed to perform IdA.

By contrast, IdA applications ensure the verification of policy remains separate and distinct from the enforcement of policy. Although the IdA application may be able to send remediation information to the IdM provisioning system — and linking the systems creates its own development and deployment challenges — the IdA solution should not provide remediation directly on its own, as this functionality could breach separation of control and auditing. Instead, the IdA application should pinpoint access exceptions in a way that quickly highlights access compliance weaknesses and tracks managers who are inattentive to remediation.

Although IdA applications are powerful tools for the compliance effort, with power comes complexity. Whether deployed as a standalone application, or as an overlay to an existing identity management suite, IdA applications represent yet another layer of software to implement in the overall identity management infrastructure. They require extensive resource planning, customization, and configuration before roll out. For example:

  • Many ship with pre-built connectors to retrieve activity data from common applications, but custom or unique applications require development of custom connectors and input filtering rules before activity review can begin.
  • They require extensive piloting before production deployment.
  • Their complexity in customization and configuration is a liability in a rapidly changing rights environment, whether change comes from internal user churn, system proliferation, or the integration of new systems via merger and acquisition.

As an alternative to IdA software applications installed on an organization’s computers, a new class of lightweight and agile analytical tools is emerging to report on user access compliance. These applications focus specifically on user privilege and access review for organizations that want to avoid complicated IdA installations that link directly to IdM provisioning systems. Delivered as an on-demand service via the Internet, these IdA applications provide the audit reporting capability of IdA software without the challenges and overhead of site-deployed software. In particular, these software-as-a-service applications:

  • Can adapt quickly to custom systems and applications without development of custom connectors. Instead, unmodified activity logs are simply uploaded into the application. The application’s analytical algorithms perform the necessary identity correlation across various system and application logs.
  • Report on actual user activity.
  • Quickly pinpoint compliance exceptions, focusing the remediation effort where needed.
  • Can be deployed quickly on a group, department, or even enterprise scale.
  • Can cope with moving access and privilege targets.

Above all, the use of service-based IdA enables the enterprise compliance effort to show faster results compared with traditional software solutions — vital at a time when corporate budgets are under scrutiny.

The emergence of identity-centric reporting applications promises to streamline the enterprise identity assurance effort and improve compliance. Organizations can now choose between site-deployed software and software-as-a-service for user access compliance, depending on the level of custom development, maintenance, and operational overhead they are willing and able to absorb, as well as the level of reporting agility that is needed. In either case, auditors stand to benefit from a reduced workload and increased audit coverage from the application of data analytics to a convoluted mass of user activity logs.

Bob Glithero is a certified public accountant specializing in IT risk and vulnerability assessments. He is based in the San Francisco Bay area.

To comment on this article, e-mail the author at

idA software
Do you know of any specific idA software applications.
Posted By: Brian Buckle
2011-04-07 6:58 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO