![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0268.png)
This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.
VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent
auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.
Back to TOCClick
VALIC
.com 82
Control Objective 13A
- Controls provide reasonable assurance that logical access to V-System is properly
authorized by VALICManagement.
Control Objective 13B
- Controls provide reasonable assurance that logical access to distributed systems including
SAP is properly authorized by VALICManagement.
VALIC Control Activities
Tests of Operating Effectiveness
Results of Tests
13.3 (13A, 13B) Oracle and SQL
database activity is monitored
daily to detect inappropriate
activity within the database.
Oracle
Inspected a sample of daily reports
to determine whether they were
appropriately reviewed.
No exceptions noted.
SQL
Inspected a sample of daily reports
to determine whether they were
appropriately reviewed.
No exceptions noted.
13.4 (13A) VALIC users are required
to use a password for mainframe
application access, have a
password that must be a
minimum of eight characters long
and include letters and at least
one embedded number, change
their password every 90 days and
have their user ID code revoked
after three failed log in attempts.
Inspected the password configurations
for V-System to determine whether
passwords were a minimum of eight
characters in length, had at least one
embedded number (alpha-numeric mix)
and letters, must be changed every 90
days, and three failed logon attempts
resulted in revocation of the user ID
code.
No exceptions noted.
13.5 (13A, 13B) Operating system
passwords are required,
must meet current policy and
standards which include a
minimum of eight characters
in length and must be changed
every 90 days.
VALIC Domain
Inspected the password configurations
for VALIC Active Directory to
determine whether a password is
required, password was a minimum of
eight characters in length and must be
changed every 90 days.
R-1 Core Domain
Inspected the password configurations
for R-1 Core Active Directory to
determine whether a password is
required, password was a minimum of
eight characters in length and must be
changed every 90 days.
No exceptions noted.
No exceptions noted.
13.6 (13A, 13B) Network domain
accounts that have been
inactive for more than 90 days
are flagged and disabled on a
monthly basis.
Inspected a sample of monthly
inactivity report listings. For all
users listed as active and who have
not logged into the network in the
past 45+ days, inspected evidence
to ensure the users were disabled
appropriately.
No exceptions noted.
IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating
effectiveness and results of tests