![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0270.png)
This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.
VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent
auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.
Back to TOCClick
VALIC
.com 84
Control Objective 13A
- Controls provide reasonable assurance that logical access to V-System is properly
authorized by VALICManagement.
Control Objective 13B
- Controls provide reasonable assurance that logical access to distributed systems including
SAP is properly authorized by VALICManagement.
VALIC Control Activities
Tests of Operating Effectiveness
Results of Tests
13.11 (13A, 13B) Privileged access
to the operating system and
database level is granted to
appropriate personnel based on
job responsibilities and must be
approved by a manager.
Inspected a sample of operating
system level access for new users to
determine whether access was granted
to appropriate personnel based on job
responsibilities and was approved by a
manager.
No exceptions noted.
13.12 (13A, 13B) Upon termination,
access to the network is
systematically revoked.
Inspected the listing of terminated
users and compared the listing to
current VALIC and R-1 Core domain
network users to determine that user
accounts were deleted at the VALIC
and R-1 Core domain network level.
Exception noted.
Termination requests were not made
timely for 119 user accounts at the
VALIC domain network level and R1
Core domain network level collectively
out of the total population of 1,084.
Of the 119 terminated users, 8
network accounts were accessed after
termination.
Refer to Section V for management's
response.
13.13 (13A, 13B) VALIC Security
administrator personnel delete
or disable access of terminated
employees, in the mainframe and
distributed applications upon
notification.
Mainframe
Inspected the listing of VALIC
terminated users and compared the
listing to current users for the mainframe
application to determine whether user
accounts were deleted or disabled.
Distributed Systems
Inspected the listing of VALIC
terminated users and compared
the listing to current users for each
distributed system to determine whether
user accounts were deleted or disabled.
No exceptions noted.
No exceptions noted.
IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating
effectiveness and results of tests