N
IAM Assurance Engagement
Najm Financial Services Co.
Audit Period
9 Jul 2025 – 11 Nov 2025
Auditor
kay Shahbaaz | خ شهباز
ISO 27001 A.9 SAMA CSF NCA ECC
IAM Compliance Score
62
%
Needs Improvement
Target: ≥ 85% for SAMA CSF compliance
Critical Findings
23
Immediate action required
High Risk
47
Remediate within 7 days
Medium Risk
89
Remediate within 30 days
Low Risk
34
Schedule for next cycle
FINDINGS BY AUDIT CHECK
Violations per check category
RISK DISTRIBUTION BY DEPARTMENT
Findings breakdown per business unit
SYSTEM RISK EXPOSURE
Critical & high findings per system
Audit Checks — Click to View Findings
CHECK 01
Dormant Accounts
No login in 90+ days
HIGH
ISO A.9.2.5 SAMA AC-3 NCA IAM-3
38
Findings
6
Critical Systems
CHECK 02
Orphaned Accounts
Terminated employees with active access
CRITICAL
ISO A.9.2.6 SAMA AC-2 NCA IAM-2
23
Findings
3
Depts Affected
CHECK 03
Privileged Account Monitoring
Admin accounts without MFA / overdue reviews
CRITICAL
ISO A.9.4.4 SAMA AC-6 NCA IAM-5
14
PAM Violations
9
No MFA
CHECK 04
Segregation of Duties Violations
Conflicting role combinations detected
CRITICAL
ISO A.9.2.3 SAMA AC-5 NCA IAM-4
11
SoD Conflicts
3
Conflict Types
CHECK 05
Excessive Permissions
Least privilege principle violations
HIGH
ISO A.9.2.2 SAMA AC-6 NCA IAM-3
31
Findings
5
Systems Affected
CHECK 06
JML Process Compliance
Joiner, Mover & Leaver lifecycle gaps
HIGH
ISO A.9.2.1 SAMA AC-2 NCA IAM-1
42
JML Gaps
J:12 M:8 L:22
J/M/L Split
CHECK 07
Failed Login Anomalies (Brute Force Detection)
Accounts with 5+ failed attempts in 24h — external IPs flagged
HIGH
ISO A.9.4.2 SAMA SI-3 NCA IAM-6
44
Anomaly Events
7
External IP Attacks
2
Potential Breaches
Control Framework Mapping
ISO 27001 — Annex A.9
A.9.2.1
User registration & deregistration
A.9.2.2
User access provisioning
A.9.2.3
Management of privileged rights
A.9.2.5
Review of user access rights
A.9.2.6
Removal of access rights
A.9.4.2
Secure log-on procedures
A.9.4.4
Use of privileged utility programs
SAMA CSF — Access Control
AC-2
Account management
AC-3
Access enforcement
AC-5
Separation of duties
AC-6
Least privilege
SI-3
Malicious code protection
NCA ECC — IAM Domain
IAM-1
Identity lifecycle management
IAM-2
Access provisioning & deprovisioning
IAM-3
Privileged access management
IAM-4
Segregation of duties
IAM-5
Privileged account controls
IAM-6
Authentication & access logging
Non-Compliant — Active Findings Partially Compliant Compliant