CAs are increasingly being asked to review and certify Identity and Access Management as part of Internal Financial Controls because the nature of financial risk itself has changed.
Identity and Access Management, in practical terms, determines who can enter a system, what actions they are permitted to perform, and whether those permissions change when roles, responsibilities, or employment status change.
Regulators have observed that many financial irregularities do not originate from complex transaction butfrom simple access failures such as excessive rights, inactive user IDs, or lack of segregation within systems.
These failures directly affect the reliability of financial information and therefore fall squarely within the scope of Internal Financial Controls.
The National Financial Reporting Authority (NFRA) has recently (January 2026) issued circulars emphasizing the need for auditors to communicate significant internal control weaknesses to Boards. IAM is frequently identified as a “significant deficiency” if not managed properly.
As organisations adopt digital and cloud-based systems at scale, IFC can no longer be assessed in isolation from technology controls.
This shift enhances credibility by demonstrating that financial assurance now extends into the digital environment where modern business actually operates.
