Skip Ribbon Commands
Skip to main content
Global Institute of Internal AuditorsBreadcrumb SeparatorStandards and GuidanceBreadcrumb SeparatorRecommended GuidanceBreadcrumb SeparatorPractice GuidesBreadcrumb SeparatorGTAG: Auditing Identity and Access Management

NEW! Global Technology Audit Guide: Auditing Identity and Access Management

Recommended Guidance

Auditing Identity and Access ManagementIdentity and access management covers the policies, processes, and tools for ensuring users have appropriate access to IT resources.

The “Auditing Identity and Access Management” GTAG will help internal auditors understand key terms and how to approach an audit to ensure their organization’s IAM protocols help mitigate potential security and regulatory risks. This knowledge will help internal auditors provide assurance that controls for managing access to IT resources are well designed and effectively implemented.

This guidance will enable internal auditors to understand:

  • IAM and develop a working knowledge of relevant processes, including related governance and security controls.
  • Risks and opportunities associated with IAM.
  • Components of the IAM process, including provisioning IDs, administering and authorizing access rights, and maintaining enforcement through authentication, reauthorization reviews, and automated account deactivation processes.
  • Some of the considerations and strategies for implementing IAM controls.
  • The basics of auditing IAM, including specific controls that should be evaluated.

Downloads and Links

English German Portuguese    

Practice Guides are restricted to IIA members only.

Non-members may purchase this Practice Guide from the IIA Bookstore.



An updated edition of the International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book, is now available. Visit the IIA Bookstore for more information.