CSD-RT RFP Recordkeeping_Administration Services Response 3-

This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.

VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent

auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.

Back to TOC

Click

VALIC

.com 83

Control Objective 13A

- Controls provide reasonable assurance that logical access to V-System is properly

authorized by VALICManagement.

Control Objective 13B

- Controls provide reasonable assurance that logical access to distributed systems including

SAP is properly authorized by VALICManagement.

VALIC Control Activities

Tests of Operating Effectiveness

Results of Tests

13.7 (13A, 13B) Contractor access

is automatically revoked after

90 days unless the manager

recertifies.

Inspected evidence that access for a

contractor was revoked on the 90 day

expiration date when not recertified by

a manager.

No exceptions noted.

13.8 (13A, 13B) Newaccess requests

of VALICemployees for the

mainframe and distributed

applications are documented and

approved by appropriateVALIC

management.

Mainframe

Inspected a sample of new user access

requests for the mainframe application

to determine whether the new user

access requests were documented

and appropriately approved by their

managers.

Distributed Systems

Inspected a sample of new user access

requests for distributed systems to

determine whether the new user

access requests were documented

and appropriately approved by their

managers.

No exceptions noted.

13.9 (13B) New user access requests

to the Oracle and SQL database

are initiated and approved by

appropriate VALIC management.

Oracle

Inspected a sample of new user access

requests to Oracle databases to

determine whether new user access

requests were appropriately requested

and approved in the DBA Help Desk or

CMNA system prior to gaining access.

SQL

Inspected a sample of new user

access requests to SQL databases to

determine whether new user access

requests were appropriately requested

and approved in the DBA Request

Form or CMNA ticket prior to gaining

access.

No exceptions noted.

13.10 (13B) Requests to add or

change access to SAP must be

documented and approved by an

appropriate authority.

Inspected a sample of new and

modified SAP user access to determine

whether new user access requests

were approved by the appropriate

authority.

No exceptions noted.

IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating

effectiveness and results of tests