Security Audits

THE UMIT SECURITY AUDIT FUNCTION PEFORMS AUDITS TO ACCOMPLISH THE FOLLOWING OBJECTIVES:

  • Collaborate with and improve the security of the University entities, processes and systems assessed.
  • Discover security gaps and help fix them rather than aver a malicious person find it and exploit it.
  • Evaluate IT operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies, systems, processes and procedures
  • Determine the level of compliance with university policies and procedures, state and federal laws and government regulations
  • Evaluate the accuracy, effectiveness and efficiency of the University's electronic information and processing systems
  • Provide analyses, counsel, information concerning the activities reviewed, and assist with development of action plans to address control deficiency observations and high risk gaps.

The Information Security Office’s Audit Function coordinates assessments which involves formal testing and evaluating of vulnerabilities and controls within the Information Technology environment, performed by an independent third party, requiring the assessor to obtain independent corroboration (sampling in nature) to substantiate information provided by personnel.


Audit Process

The audit process for performing and audit is a ten-step procedure as outlined below. Please click through the steps in order to better understand the process. 

  1. Notification
  2. Planning
  3. Opening Meeting
  4. Fieldwork
  5. Communication
  6. Report Drafting
  7. Management Response
  8. Closing Meeting
  9. Report Distribution
  10. Follow-up

Notification

First, you will receive a letter to inform you of an upcoming audit which will include a preliminary checklist.  This is a list of documents such as but not limited to organization charts, SOP’s, technical systems documentation, process flows, and data flow diagrams will help us learn about the IT department, process, or system before preparing the final audit plan, scope and audit program for the audit.


Planning

After reviewing the preliminary checklist documentation we will plan the review, conduct an engagement risk assessment, draft an audit plan, and schedule an opening meeting with you.


Opening Meeting 

The opening meeting should include senior management and any administrative staff that may be involved in the audit.  During this meeting, the scope of the audit will be discussed.  You should feel free to ask the auditors to review areas that you are concerned about. The time frame of the audit will be determined, and you should discuss any potential timing issues (e.g. vacations, deadlines) that could impact the audit. It doesn't take as much of your time as you might expect!


Fieldwork

After the opening meeting, the auditor will finalize the audit plan and begin fieldwork. Fieldwork typically consists of talking with staff, reviewing procedure manuals,  learning about business processes, system processing, interfaces, access points, and communications technologies utilized, and testing for compliance with applicable university policies and procedures and laws and regulations and the adequacy of internal controls.  You should make your staff aware that we will be scheduling meetings with them.


Communication

Throughout the process, we will keep you informed, and you will have an opportunity to discuss issues noted and the possible solutions.


Report Drafting

After the fieldwork is completed, we will draft a report. The report consists of several sections and includes: the distribution list, the follow-up date, a general overview of your unit, the scope of the audit, any major audit concerns, the overall conclusion, and detailed commentary describing the findings and recommended solutions.  You should read the draft report carefully to make sure there are no errors.  If you find a mistake, please inform us right away so that it can be corrected before the final report is issued.  


Management Response

Once the report is finalized, we will request your management responses. The response consists of 3 components: whether you agree or disagree with the problem, your action plan to correct the problem, and the expected completion date.  For observations or risks for which there is no corrective action contemplated please specifically state in the response that you accept the responsibility for this decision.


Closing Meeting

A closing meeting will be held so that everyone can discuss the audit report and review your management responses. This is an opportunity to discuss how the audit went and any remaining issues.


Report Distribution

The report is then distributed at a minimum to you, your manager(s), UMIT senior executives. We also may distribute an audit survey to the audited unit to solicit feedback about the audit. Feedback is important to us, since it can help us improve the audit process.


Follow-Up

Follow-up reviews are performed on an issue-by-issue basis and typically occur shortly after the expected completion date per the management response, so that agreed-upon corrective actions can be implemented. The purpose of the follow-up is to verify that you have implemented the agreed-upon corrective actions. The auditor will interview staff, perform tests, or review new procedures to perform the verification. You will then receive a letter from us indicating whether you have satisfactorily corrected all problems or whether further actions are necessary.