“Auditing Identity and Access Management” is intertwined with every organization’s IT governance, application controls, and general controls. The importance of IAM is compounded with the prevalence of connected IOT devices and use of cloud applications. This guidance helps internal auditors understand the key terms they need to know and how to approach an audit to ensure their organization’s IAM protocols help mitigate potential security and regulatory risks. After reading this guidance, internal auditors should be able to understand: • IAM and develop a working knowledge of relevant processes, including related governance and security controls. • Risks and opportunities associated with IAM. • Components of the IAM process, including provisioning IDs, administering and authorizing access rights, and maintaining enforcement through authentication, reauthorization reviews, and automated account deactivation processes. • Some of the considerations and strategies for implementing IAM controls. • The basics of auditing IAM, including specific controls that should be evaluated.