This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.
VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent
auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.
Back to TOCClick
VALIC
.com 85
Control Objective 13A
- Controls provide reasonable assurance that logical access to V-System is properly
authorized by VALICManagement.
Control Objective 13B
- Controls provide reasonable assurance that logical access to distributed systems including
SAP is properly authorized by VALICManagement.
VALIC Control Activities
Tests of Operating Effectiveness
Results of Tests
13.14 (13B) User access rights,
privileges, functions, entitlements,
roles and/or profiles within SAP
are disabled when notified that a
user has been terminated.
Inspected a sample of terminated
users to determine whether access
was removed or disabled in SAP.
No exceptions noted.
13.15 (13A, 13B) VALIC managers
perform an annual review
of VALIC user access to the
mainframe and distributed
applications by reviewing
current user profiles/privileges.
A list of corrections is prepared
and forwarded to the security
administrator for processing.
Mainframe
Inspected the annual user access
review performed in SOAR to
determine whether VALIC managers
reviewed VALIC users’ access to the
mainframe application.
Inspected a sample of documentation
to determine whether changes
resulting from user access reviews
were processed.
No exceptions noted.
No exceptions noted.
Distributed Systems
Inspected the annual user access
review performed in SailPoint to
determine whether VALIC managers
reviewed VALIC users’ access to all
distributed systems.
Inspected a sample of documentation
to determine whether changes resulting
fromuser access reviews were processed.
No exceptions noted.
No exceptions noted.
13.16 (13A, 13B) Users with privileged
access to the operating
system and database level are
reviewed on an annual basis for
appropriateness. Recertification
items (including modification or
deletion of access) that require
further review are addressed by
management in a timely manner.
Inspected annual operating system
and database recertifications to
determine whether management
performed an annual recertification to
ensure that privileges were restricted
to appropriate users based on job
responsibilities.
Inspected changes to users’
privilege, identified as part of
the recertification, to determine
whether changes were performed as
requested.
No exceptions noted.
No exceptions noted.
IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating
effectiveness and results of tests