Scope and Methodology
State law authorizes the State Auditor to establish a program to audit and issue reports with recommendations to improve any state agency or statewide issue that the State Auditor identifies as being at high risk for the potential of waste, fraud, abuse, and mismanagement or that has major challenges associated with its economy, efficiency, or effectiveness. In January 2018, we issued our latest assessment of high‑risk issues that the State and selected agencies face. Because we continue to include information security as a high-risk issue for the State, we performed this audit of nonreporting entities' information security practices. The table below lists the objectives we developed and the methods we used to address them.
|1||Review and evaluate the laws, rules, and regulations significant to the audit objectives.||Reviewed relevant laws, regulations, and other background materials.|
|2||Conduct a survey of state entities that may not be under the authority of the technology department.||
|3||For surveyed state entities asserting they are under the authority of the technology department, verify they submitted an information security self-assessment to the technology department.||Obtained documentation from the technology department and verified that each entity submitted the required information.|
For a selection of state entities that indicated that they are not subject to the authority of the technology department, do the following:
|5||Review and assess any other issues that are significant to the audit.||Reviewed the State Leadership Accountability Act (accountability act) reports of our selected nonreporting entities to determine whether they identified information security as a concern. The accountability act requires the Department of Finance to identify state entities that must report biennially to the Legislature on the adequacy of their systems of internal control—which may include information security. Entities are allowed to choose the number and types of risks to include in their reports, which must be made public. Only three of the 10 nonreporting entities we reviewed used these reports to communicate information security issues. In addition, because accountability act reports are public documents, entities would only be able to share limited information about their information security issues without compromising their systems. As a result, we determined that accountability act reports were not specifically designed to provide external oversight of a nonreporting entity's information security posture.|
Source: Analysis of information and documentation identified in the column titled Method..