Table of Contents Table of Contents
Previous Page  291 / 499 Next Page
Information
Show Menu
Previous Page 291 / 499 Next Page
Page Background

This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.

VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent

auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.

Back to TOC

Click

VALIC

.com 84

Control Objective 13A

- Controls provide reasonable assurance that logical access to V-System is properly

authorized by VALICManagement.

Control Objective 13B

- Controls provide reasonable assurance that logical access to distributed systems including

SAP is properly authorized by VALICManagement.

VALIC Control Activities

Tests of Operating Effectiveness

Results of Tests

13.11 (13A, 13B) Privileged access

to the operating system and

database level is granted to

appropriate personnel based on

job responsibilities and must be

approved by a manager.

Inspected a sample of operating

system level access for new users to

determine whether access was granted

to appropriate personnel based on job

responsibilities and was approved by a

manager.

No exceptions noted.

13.12 (13A, 13B) Upon termination,

access to the network is

systematically revoked.

Inspected the listing of terminated

users and compared the listing to

current VALIC and R-1 Core domain

network users to determine that user

accounts were deleted at the VALIC

and R-1 Core domain network level.

Exception noted.

Termination requests were not made

timely for 119 user accounts at the

VALIC domain network level and R1

Core domain network level collectively

out of the total population of 1,084.

Of the 119 terminated users, 8

network accounts were accessed after

termination.

Refer to Section V for management's

response.

13.13 (13A, 13B) VALIC Security

administrator personnel delete

or disable access of terminated

employees, in the mainframe and

distributed applications upon

notification.

Mainframe

Inspected the listing of VALIC

terminated users and compared the

listing to current users for the mainframe

application to determine whether user

accounts were deleted or disabled.

Distributed Systems

Inspected the listing of VALIC

terminated users and compared

the listing to current users for each

distributed system to determine whether

user accounts were deleted or disabled.

No exceptions noted.

No exceptions noted.

IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating

effectiveness and results of tests

1 286 287 288 289 290 291 292 293 294 295 296 297 498-499  FlippingBook