GTAG 9 - Identity and Access Management

GTAG 9 - Identity and Access Management

Identity and access management (IAM) is a cross-functional process that helps organizations to manage who has access to what information over a period of time. Poor or loosely controlled IAM processes may lead to organizational regulatory noncompliance and an inability to determine whether company data is being misused.

CAEs should be involved in the development of the organization's IAM strategy as well as evaluate the implementation of the strategy and effectiveness of companywide access controls. The purpose of this GTAG is to provide insight into what IAM means to an organization and to suggest internal audit areas for investigation. It can assist CAEs and other internal auditors to understand, analyze, and monitor their organization's IAM processes. A checklist for IAM review is also included in this guide