![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0276.png)
This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.
VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent
auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.
Back to TOCClick
VALIC
.com 90
Physical Access
Control Objective 16
- Controls provide reasonable assurance that physical access to computer equipment,
storage media and program documentation is restricted to authorized individuals.
VALIC Control Activities
Tests of Operating Effectiveness
Results of Tests
16.1 Physical access to data centers
is restricted to authorized
individuals. Access is granted to
appropriate personnel based on
job responsibilities and must be
approved by a manager.
Inspected a sample of new access
granted to the data center and related
access request forms to determine
whether the access is granted to
appropriate personnel based on job
responsibilities and approved by the
manager.
No exceptions noted.
16.2 Upon termination, physical access
to data centers is revoked timely.
Inspected a sample of terminated
employees from the master access
card list to determine whether the
individuals’ access was removed from
the data center timely.
Exception noted.
For 1 out of 25 terminated employees
sampled, physical access was not
removed timely.
Refer to Section V for
management's response.
16.3 Users with access to secure
and sensitive areas within the
data center are reviewed on a
quarterly basis. Recertification
items (including modification or
deletion of access) that require
further review are addressed by
management in a timely manner.
Inspected a sample of user access
reviews to the data centers (secure
rooms) to determine whether access
was reviewed and changes were
appropriately processed.
Inspected changes to data center
access, identified as part of the
recertification, to determine whether
changes were performed as requested.
No exceptions noted.
No exceptions noted.
IV. VALIC control objectives and controls, and PricewaterhouseCoopers LLP's tests of operating
effectiveness and results of tests