Identity and access management: a key challenge in SOC reporting

When a user leaves a company or changes roles, does their access to company systems update as well? All too often, it’s not the case, and it is harder to manage than it seems.
 

Effective identity and access management (IAM) policies and procedures help prevent unauthorized access, data breaches and fraud. To achieve this, organizations must monitor all internal and external users — their statuses, roles and access requirements — across the company, while keeping pace with rapidly changing technologies in both large, complex internally hosted and cloud environments.

Periodic review of user access is among the biggest IAM issues for organizations. In a recent informal survey taken during our 13th annual EY System and Organization Controls (SOC) Reporting Virtual Conference, more than half of the respondents identified these reviews as their greatest IAM challenge.
 

Periodic user access reviews require a comprehensive and accurate inventory of both internal and external user access. All access must be reviewed by appropriate management, with necessary changes implemented as identified. Any instances of unauthorized access should be evaluated to determine whether such access has been used inappropriately.   

The role of IAM in SOC reporting

Access management remains a frequent source of deviations in SOC reports. In our recent internal analysis of more than 2,000 SOC reports supporting clients’ 2024 and 2025 financial audits, 52% of the deviations found in SOC 1 reports and 40% of the deviations in SOC 2 reports were related to logical access. 

IAM is foundational for SOC reporting because it impacts the effectiveness, reliability and auditability of an organization’s controls. SOC reports require organizations to demonstrate that they have appropriate controls so only appropriate personnel maintain access to sensitive systems and data, and that access is regularly reviewed and updated.

When there are differences in how systems and access are managed, organizations are more prone to errors and inconsistencies. Recommended practices include centralized access management (introducing automation where possible), embedded controls, periodic access reviews (more frequent for privileged access) and ongoing training.

It’s no surprise that a leading practice is to terminate or transfer access in a timely manner across all systems, upon a change in HR status. However, some organizations have hundreds of key systems with potentially thousands of permissions/entitlements and users across the organization, and that becomes a very complex challenge to deal with. More than one in four attendees at the 13th annual EY SOC Reporting Virtual Conference said timely termination is the biggest area of concern their organization is experiencing. Cloud access management and multifactor authentication also pose difficulty.