Strategic Shareholder Climate and Risk Financial Financial Barclays PLC 408 report information sustainability report Governance review review statements Annual Report 2022 KPMG LLP’s independent auditor’s report to the members of Barclays PLC (continued) 4.4 User access management Financial Statement Elements Our assessment of risk vs FY21 Our results User access management has a potential impact FY22 and FY21: 1 Our assessment is the risk is similar to FY21 throughout the financial statements. Our testing did not identify unauthorised user activities in the systems relevant to financial reporting which would have required us to significantly expand the extent of our planned detailed testing. Description of the Key Audit Matter Our response to the risk Control Performance Our procedures to address the risk included: Operations across several countries support a wide Control testing: We tested the design, implementation and operating effectiveness of range of products and services resulting in a large and automated controls that support material balances in the financial statements. We also complex IT infrastructure relevant to the financial tested the design and operating effectiveness of the relevant preventative and detective reporting processes and related internal controls. general IT controls over user access management including: User access management controls are an integral part • authorising access rights for new joiners of the IT environment to ensure both system access • timely removal of user access rights and changes made to systems and data are authorised • logging and monitoring of user activities and appropriate. Our audit approach relies on the • privileged user access management and monitoring effectiveness of IT access management controls. Our audit procedures identified deficiencies in certain IT • developer access to transaction and balance information access controls for systems relevant to financial • segregation of duties; and reporting. More specifically, control deficiencies • re-certification of user access rights. continue to be identified around monitoring of activities performed by privileged users on infrastructure We performed procedures to assess whether additional detective compensating controls components. Management has ongoing programmes operate at the same level of precision to support our assessed risk of unauthorised activities to remediate the deficiencies. Since these deficiencies and we tested management’s detective compensating controls. were open during the year, we performed additional procedures to respond to the risk of unauthorised changes to automated controls over financial reporting, such as an assessment of compensating controls implemented by management. Communications with the Barclays PLC Areas of particular auditor judgement Our results Board Audit Committee We identified the following as the areas of Based on the risk identified and our Our discussions with and reporting to the particular auditor judgement: procedures performed, we did not identify Board Audit Committee included: unauthorised user activities in the systems • The Key Audit Matter relates to • Our response to the Key Audit Matter. relevant to financial reporting which would determining whether user access have required us to significantly expand management controls were designed the extent of our planned detailed testing. and implemented and operated effectively. Limited auditor judgement was required relative to the other Key Audit Matters which have been identified.