Management asked: "What are the biggest threats to the district and are we adequately addressing these threats?"
Context
The school district required an enterprise risk assessment to determine high-risk areas/processes
Based on the risk assessment results, we prioritized the highest risk areas within our audit plan, which included IT general controls and cybersecurity
Conducted an internal audit of IT general controls and cybersecurity processes and identified areas for cybersecurity posture improvements
Our Approach
Risk Assessment
Determined the residual risk ratings for key processes by considering the school district's inherent risks (i.e., types of risks and likelihood of occurrence) and the potential impact to the school districts if these risks materialized, after considering the mitigating internal controls (i.e., control effectiveness)
Based on the residual risk ratings, the internal audit plan was developed for the subsequent three-year period, prioritizing the highest risk areas including cybersecurity
Internal Audit Process
Conducted detailed corroborative interviews of key IT and cybersecurity stakeholders to gain an understanding of the current state of implemented controls and identify potential control gaps
Performed substantive testing and data analysis of key IT general and cybersecurity controls to determine the sufficiency of design and operating effectiveness of implemented controls
Reported on the potential risks and impacts of identified IT and cybersecurity deficiencies, utilizing specific and measurable attributes to best estimate the impacts in an actionable format
Provided recommended corrective action plans to jumpstart the remediation process for the identified vulnerabilities
Customer Impact
Received detailed summary of internal audit results, including recommendations to improve the overall security of the school district
Technology staff able to coordinate immediately with Elliott Davis and respond to critical findings
Utilizing the internal audit results, the school district improved the security controls surrounding its critical computer systems and information resources to mitigate the impacts of internal and external cybersecurity threats
We Can Help
For more information on this and other topics, contact a member of our team.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.
