The Institute of Internal Auditors released a new Global Audit Technology Audit Guide on auditing identity and access management on Wednesday. “Auditing Identity and Access Management” discusses foundational topics of IAM that are intertwined with every organization’s IT governance, application controls, and general controls.
The guide is designed to enable internal auditors to grasp technical topics so they can provide valuable assurance and advice through risk-based auditing and help their organizations close gaps in their IAM protocols.
After reading this guidance, internal auditors should be able to understand:
- IAM and develop a working knowledge of relevant processes, including related governance and security controls.
- Risks and opportunities associated with IAM.
- Components of the IAM process, including provisioning IDs, administering and authorizing access rights, and maintaining enforcement through authentication, reauthorization reviews, and automated account deactivation processes.
- Some of the considerations and strategies for implementing IAM controls.
- The basics of auditing IAM, including specific controls that should be evaluated.
The guide is available for download to IIA members for free, and for purchase to non-members on their bookstore.