U.S. Immigration and Customs Enforcement (ICE) did not consistently implement effective access controls to restrict access to its network and information technology (IT) systems. Although ICE took a multi-layered approach to managing access for personnel who change positions or leave the component altogether, we determined that ICE did not consistently manage or remove access when personnel separated or changed positions. For example, 84 percent of the accounts for separated personnel we examined remained active beyond the individual’s last workday. Additionally, ICE did not monitor and configure privileged user access, service accounts, and access to sensitive security functions as required. These deficiencies stemmed from insufficient internal controls and oversight of user account management and compliance to ensure access controls were administered appropriately and effectively to prevent unauthorized access.