Information Technology Audit

The Information Technology (IT) audit group is a unit within Risk Management and Audit Services (RMAS) that focuses on the University's technology environment and supporting operational processes to assure information technology assets are reliable, available, protected and compliant with University policies and procedures, as well as applicable laws and regulations. We emphasize the importance of identifying and mitigating risks associated with the use of data, applications, infrastructure, networking systems and technology related operational activities. Our evaluations are objective and professional, utilizing the International Standards for the Professional Practice of Internal Auditing as well as internationally recognized IT standards such as COBIT (Control Objectives for Information and related Technology), NIST CSF (National Institute of Standards Technology Cyber Security Framework) and the CIS CSC (Center for Internet Security Critical Security Controls) best practice guidelines.

IT Audit provides the following audit services:

Audit: a criteria-based evaluation with the intention of issuing a final report inclusive of agreed-to-actions for areas of non-conformance. Although every audit has a specific scope and associated objectives, many of our audit projects focus on the processes, solutions and services that are in place to appropriately protect information assets from unintentional access or use, disruption or corruption. The criteria used often includes an assessment of physical and logical security controls including a review of change control, administration of privileged accounts, event logging and monitoring, incident handling, backup and disaster recovery and a review of the quality, alignment and value realization of IT service delivery. We also provide compliance audits, which focus on University policies and procedures, Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA), Family Education Rights and Privacy Act (FERPA) and other established policies, applicable laws and regulations.

Consulting: similar to an audit, a consulting engagement also includes a criteria-based evaluation with the intention of issuing a final report that will include “observations and recommendations” in place of agreed-to actions and timelines. As with an audit, the criteria used is selected based on the scope and objectives of the engagement.

Advisory / Assistance: participation in various activities using our specific risk-based, control objective-oriented skills, facilitation abilities, expertise, analytic and synthesis talents. These kinds of engagements do not result in a formal letter or follow a pre-defined process and the approach is tailored to meet the needs of the specific advisory activity. For example, as experts in the area of risk and controls, our audit staff are frequently asked to help with control assessments. Control assessments are designed to help those that manage and operate technology solutions better understand their current state or processing flows while identifying practical opportunities for improvement.