Hi,

ARM supports key ITGC controls for user access management, so probably audit would also cover:

- review of updated processes & controls

- check (based on sample) if all requests were properly approved

- review of correctness of approvers assignment

- verification if what was requested was provisioned

- timely removal of terminated access

- review of SoD controls embedded in process

- periodic review of user access

and maybe some more controls. In most cases it will be sample based testing so auditors may ask for a sample of requests to trace them to back-end systems and opposite sample of changes in users privileges to verify if proper requests were prepared for those changes...

Sometimes they could perform more tests on configuration and process, but this is up to particular auditor.

Best regards, Andrzej