Roller Coaster, Salou, Spain.

How effective IAM builds trust and consistency in SOC reporting

Photographic portrait of Brandon R. Miller
Brandon Miller

EY Global and Americas Technology Risk System and Organization Controls, Attestation and Certification Leader

Contributors

3 minute read 11 Mar 2026
Related topics
Assurance
Technology risk

To meet reporting standards, organizations need to protect data, regularly review user access and confirm that controls are working.

In brief

  • Identity and access management practices directly impact the effectiveness and reliability of organizational controls.
  • Periodic user access reviews are the biggest challenge in identity and access management.
  • Leading practices include timely termination or transfer of access, centralized management, automation and ongoing training.

When a user leaves a company or changes roles, does their access to company systems update as well? All too often, it’s not the case, and it is harder to manage than it seems.

Effective identity and access management (IAM) policies and procedures help prevent unauthorized access, data breaches and fraud. To achieve this, organizations must monitor all internal and external users — their statuses, roles and access requirements — across the company, while keeping pace with rapidly changing technologies in both large, complex internally hosted and cloud environments.

As the conference poll illustrates, periodic review of user access continues to be the most persistent IAM challenge for many organizations. In a recent informal survey taken during the 13th annual EY System and Organization Controls (SOC) Reporting Virtual Conference, more than half of the respondents identified these reviews as their greatest IAM challenge.  All access must be reviewed by appropriate management, with necessary changes implemented as identified. Any instances of unauthorized access should be evaluated to determine whether such access has been used inappropriately.

A leading practice is to terminate or transfer access in a timely manner, across all systems, upon a change in HR status. However, some organizations have hundreds of key systems with potentially thousands of permissions, and that becomes a very complex challenge to address.

Brandon Miller

EY Global and Americas Technology Risk System and Organization Controls, Attestation and Certification Leader

How EY can help

The role of IAM in SOC reporting

Access management continues to drive a significant share of SOC report deviations. In a recent internal analysis of nearly 4,000 SOC reports supporting clients’ 2024 and 2025 financial audits, 54% of the deviations found in SOC 1 reports and 41% of the deviations in SOC 2 reports were related to logical access. 

 

IAM is foundational for SOC reporting because it impacts the effectiveness, reliability and auditability of an organization’s controls. SOC reports require organizations to demonstrate that they have appropriate controls, so only appropriate personnel maintain access to sensitive systems and data, and that access is regularly reviewed and updated.

 

When there are differences in how systems and access are managed, organizations are more prone to errors and inconsistencies. Recommended practices include centralized access management (introducing automation where possible), embedded controls, periodic access reviews (more frequent for privileged access) and ongoing training.

 

However, some organizations have hundreds of key systems with potentially thousands of permissions, making this a complex challenge. More than one in four attendees at the 13th annual EY SOC Reporting Virtual Conference said timely termination is their biggest area of concern.

 

Beyond SOC reporting, many organizations also rely on certification frameworks to reinforce the consistency and discipline of their identity and access management practices. Certification requirements emphasize standardized governance, documented processes and continuous monitoring, all of which closely align with ISO27001:2022 IAM expectations.

 

While certification does not replace SOC reporting, it can strengthen confidence in the underlying control environment. Organizations with IAM practices aligned to certification criteria are often better positioned to demonstrate sustained control operation, clearer access hygiene and ownership, and fewer access-related deviations over time.

Customers care about how their data is protected, leading to a high level of interest in the IAM process, controls and testing results in a SOC report. Organizations can build customer confidence in how data is protected through clear responsibilities and automation to facilitate consistent execution of IAM controls.

Shelly Fliehe

EY Global Technology Risk Leader

What is the biggest IAM challenge your organization is experiencing? 

51%
Periodic user access reviews
26%
Timely termination or transfer processing
15%
Cloud access management
8%
Multifactor authentication

How EY can help

  • Technology Risk

    Learn more about Technology Risk services and their role in high-quality audits and other assurance, attestation, certification and assessment services.

    Read more

Three identity and access management priorities for stronger SOC reporting

1. Mature IAM to reduce access-related deviations

Strengthening provisioning and access removal processes in accordance with human resources changes helps ensure users have only the access they need — and only for as long as they need it. This directly reduces the risk of deviations in your SOC reports.

 

2. Adopt scalable access models that evolve and are reviewed with the business

Role based access and on demand permissions give organizations greater control and visibility. Periodically reviewing helps ensure users’ access remains appropriate as roles, permissions, personnel, technologies and risk profiles change.

 

3. Embed IAM discipline across every layer of the organization

Managing internal and external identities consistently, across cloud and on premise environments, is critical to reducing unauthorized access and avoiding audit issues. Strong IAM execution supports both operational security and smoother SOC examinations.

As organizations become increasingly digital, identity has become the primary attack vector. IAM is the cornerstone of modern cybersecurity, ensuring that the right individuals have the right access to the right resources at the right time; no more, no less. In a threat landscape where identity is the new perimeter, robust IAM is essential to protecting critical assets and maintaining trust.

Jatin Sehgal

EY Global ISO Leader; EY CertifyPoint Managing Partner

How EY can help

EY CertifyPoint

EY CertifyPoint is an accredited certification institute with auditors around the world, certifying some of the leading global organizations.

Read more

Service Leader

  • Photographic portrait of Jatin Sehgal
    Jatin Sehgal

    EY Global ISO Leader; EY CertifyPoint Managing Partner

Summary

In business environments where numerous employees access critical systems daily, identity and access management plays a crucial role. Ideally, any role modification or departure would immediately prompt an adjustment of access rights. However, many organizations find that monitoring and managing appropriate levels of access for every user present a significant challenge. Effective IAM policies help mitigate the risks of security incidents and audit deficiencies, reinforcing the organization’s overall resilience.

About this article

Photographic portrait of Brandon R. Miller
Brandon Miller
EY Global and Americas Technology Risk System and Organization Controls, Attestation and Certification Leader
Experienced, growth-minded leader. Helps clients establish and communicate trust in their processes, controls and operations. Mentor. Husband and father of two sons.

Contributors

Related topics
Assurance
Technology risk

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.