Table of Contents Table of Contents
Previous Page  292 / 499 Next Page
Information
Show Menu
Previous Page 292 / 499 Next Page
Page Background

This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.

VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent

auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.

Back to TOC

Click

VALIC

.com 85

Control Objective 13A

- Controls provide reasonable assurance that logical access to V-System is properly

authorized by VALICManagement.

Control Objective 13B

- Controls provide reasonable assurance that logical access to distributed systems including

SAP is properly authorized by VALICManagement.

VALIC Control Activities

Tests of Operating Effectiveness

Results of Tests

13.14 (13B) User access rights,

privileges, functions, entitlements,

roles and/or profiles within SAP

are disabled when notified that a

user has been terminated.

Inspected a sample of terminated

users to determine whether access

was removed or disabled in SAP.

No exceptions noted.

13.15 (13A, 13B) VALIC managers

perform an annual review

of VALIC user access to the

mainframe and distributed

applications by reviewing

current user profiles/privileges.

A list of corrections is prepared

and forwarded to the security

administrator for processing.

Mainframe

Inspected the annual user access

review performed in SOAR to

determine whether VALIC managers

reviewed VALIC users’ access to the

mainframe application.

Inspected a sample of documentation

to determine whether changes

resulting from user access reviews

were processed.

No exceptions noted.

No exceptions noted.

Distributed Systems

Inspected the annual user access

review performed in SailPoint to

determine whether VALIC managers

reviewed VALIC users’ access to all

distributed systems.

Inspected a sample of documentation

to determine whether changes resulting

fromuser access reviews were processed.

No exceptions noted.

No exceptions noted.

13.16 (13A, 13B) Users with privileged

access to the operating

system and database level are

reviewed on an annual basis for

appropriateness. Recertification

items (including modification or

deletion of access) that require

further review are addressed by

management in a timely manner.

Inspected annual operating system

and database recertifications to

determine whether management

performed an annual recertification to

ensure that privileges were restricted

to appropriate users based on job

responsibilities.

Inspected changes to users’

privilege, identified as part of

the recertification, to determine

whether changes were performed as

requested.

No exceptions noted.

No exceptions noted.

IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating

effectiveness and results of tests

1 287 288 289 290 291 292 293 294 295 296 297 298 498-499  FlippingBook