Guidance: Auditing Identity and Access Management

Identity and access management covers the policies, processes, and tools for ensuring users have appropriate access to IT resources.

The “Auditing Identity and Access Management” GTAG will help internal auditors understand key terms and how to approach an audit to ensure their organization’s IAM protocols help mitigate potential security and regulatory risks. This knowledge will help internal auditors provide assurance that controls for managing access to IT resources are well designed and effectively implemented.

This guidance will enable internal auditors to understand:

• IAM and develop a working knowledge of relevant processes, including related governance and security controls.
• Risks and opportunities associated with IAM.
• Components of the IAM process, including provisioning IDs, administering and authorizing access rights, and maintaining enforcement through authentication, reauthorization reviews, and automated account deactivation processes.
• Some of the considerations and strategies for implementing IAM controls.
• The basics of auditing IAM, including specific controls that should be evaluated.