June 30, 2021
Published: The Institute of Internal Auditors
The IIA is pleased to announce its new GTAG that provides internal auditors with fundamental IT knowledge and information on an area that can carry significant security and regulatory risks.
Written for auditors of all experience levels, “Auditing Identity and Access Management” discusses foundational topics of IAM that are intertwined with every organization’s IT governance, application controls, and general controls.
It is designed to enable internal auditors to grasp technical topics so they can provide valuable assurance and advice through risk-based auditing and help their organizations close gaps in their IAM protocols.
After reading this guidance, internal auditors should be able to understand:
- IAM and develop a working knowledge of relevant processes, including related governance and security controls.
- Risks and opportunities associated with IAM.
- Components of the IAM process, including provisioning IDs, administering and authorizing access rights, and maintaining enforcement through authentication, reauthorization reviews, and automated account deactivation processes.
- Some of the considerations and strategies for implementing IAM controls.
- The basics of auditing IAM, including specific controls that should be evaluated.