Identity and Access Management as an Audit Tool

Ralph DeFrangesco

Today auditing is a reality, required by every public company. Audits have become so important that they command board-level attention. The advantage of using an identity and access management tool is that it provides the ability to log, control, audit and report on which users have access to what information assets.


Regulatory and compliance issues are among the main drivers behind identity and access management tools. Organizations require the ability to demonstrate that account administration and access controls are performing according to policy. A good tool should serve as the cornerstone of an organization's governance, risk and overall compliance strategy. Some of the finer points a solution should deliver are: always knowing who is accessing what, when they are doing it and if they are authorized, automatic provisioning of accounts, and integration with enterprise applications, to name a few.


An auditor is interested in "seeing" proof of compliance. Most of these tools create an audit trail that auditors should accept for a general controls audit and proof of compliance. A basic identity and access management tool should help organizations comply with most of the challenges that regulations like HIPAA and PCI DSS put on our organizations.


Lora Bentley, governance and risk blogger for IT Business Edge, made a very interesting post bringing to light that HIPAA may have a new enforcement mechanism because of the HITECH Act signed into law in February as part of the American Recovery and Reinvestment Act. The new law gives government officials more power when enforcing HIPAA policy, especially when dealing with companies that do business in multiple states. An identity and access management tool would be the perfect solution for this kind of company, creating a common reporting framework.


The major problem that I see is that there are no comprehensive identity and access management tools. Now, some people would argue that best of breed is better. I will tell you that from an auditing perspective, a tool that outputs in one standard format or report is more desirable. Unfortunately, auditors will have to have to deal with a federated solution for now. In my next post on identity and access management, I will explore best of breed tools versus more comprehensive tools.

Add Comment      Leave a comment on this blog post
Jul 2, 2009 1:43 AM Michael Stagar Michael Stagar  says:

Dear Ralph:

Great post!

1. As a CPA, CFE & CITRMS (Certified Fraud Examiner & Certified Identity Theft Risk Management Specialist), it may take years and a good deal of decision-making to form a standardization process. Congress writes the law; the bureaucracy writes the general management protocols; and industry must accomplish all the necessary 'tool' requirements to carry out the law.

2. You hit it right on the head: "seeing proof". If the auditor does not see proof, it did not occur. Reliance on the audit trial through documentation creates due diligence.

3. We need much more cooperation between government and industry. However, some of our 19/20th century regulations on antitrust, and related ventures need to be revisited based on 21st century technology. And as a CFE, I would humbly suggest that the 'bad guys' are already organizing and creating the ways and the means to defeat the law.

Semper Fi

Jul 2, 2009 2:51 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Michael Stagar


You have a very impressive background. Thank you for taking the time to respond. I appreciate your comments and support.



Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.