CSD-RT RFP Recordkeeping_Administration Services Response 3-

This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.

VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent

auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.

Back to TOC

Click

VALIC

.com 86

Control Objective 13A

- Controls provide reasonable assurance that logical access to V-System is properly

authorized by VALICManagement.

Control Objective 13B

- Controls provide reasonable assurance that logical access to distributed systems including

SAP is properly authorized by VALICManagement.

VALIC Control Activities

Tests of Operating Effectiveness

Results of Tests

13.17 (13A, 13B) VALIC managers

perform annual reviews of

Oracle, SQL and DB2 database

user access by reviewing current

user profiles/privileges. A

list of corrections is prepared

and forwarded to the security

administrator for processing.

Inspected a sample of Oracle, SQL,

and DB2 user access reviews to

determine whether VALIC managers

reviewed VALIC users’ access.

Inspected a sample of change requests

to determine whether changes

resulting from user access reviews

were processed.

No exceptions noted.

13.18 (13B) User access to SAP is

reviewed annually and recertified

by an appropriate authority

to confirm that the access is

aligned with the user’s current

job functions. Changes to user

access discovered during the

recertification are acted upon by

an appropriate authority.

Inspected a sample of SAP user access

reviews performed in SailPoint to