Auditing (also referred as Audit or Accounting or Accountability) ensures that the activities associated with user access are logged for monitoring, regulatory and investigative purposes.
Auditing Strategies for IAM to be compliance:
- Identify regulations you company must be compliance: such as SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), Basel II.
- Assess current compliance baseline and perform gap analysis
- Implement IAM controls and compare with industry standards and best practices, such as ISO 17799
- Measure, test, remediate, and demonstrate your IAM controls
- Ensure IAM audit logs are secure and scalable
- Get IAM reporting tools that meet auditor’s needs
Usually, enterprise IT should have a dedicated governance/audit team (or professionals) to provide compliance guidelines. If not, you should consult with external audit professional service.