This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.

VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent

auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.

Back to TOC

Click

VALIC

.com 93

V. Other information provided by VALIC: Management's response to operating effectiveness exceptions

Control Activitiy

Description of Exception

Management Response

13.12 (13A, 13B) Upon termination,

access to the network is

systematically revoked.

Termination requests were not

made timely for 119 user accounts

at the VALIC domain network level

and R1 Core domain network level

collectively out of the total population

of 1,084. Of the 119 terminated users,

8 network accounts were accessed

after termination.

Management reviewed application

logs and confirmed none of the 8

terminated users logged into an

application subsequent to termination

date. To remediate, management is

taking actions to improve timeliness

of termination notification to HR,

including:

1) monthly notification sent to all

managers to review their employee

data for accuracy, including terminated

employees

2) self reporting of resignation

3) dashboard available to managers

to monitor timeliness of termination

reporting

4) HR and Technology Risk Office

improving awareness around the

importance of timely termination

through training sessions

5) management implemented a control

to identify and investigate instances

where a terminated employee's

account accesses an application after

the termination date. In addition,

management is performing a feasibility

study around disabling network

accounts after 10 days of inactivity.