[read complete report - pdf]

Audit Objective

Determine whether Authority officials ensured IT systems were adequately secured and protected against unauthorized use, access and loss.

Key Findings

• The Board did not adopt an acceptable use policy.
• Officials did not provide IT security awareness training.
• The Authority did not have adequate online banking agreements.

Sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

• Adopt comprehensive IT policies, communicate them to all employees, review and update routinely or when significant changes in the environment occur.
• Create and maintain service level agreements (SLAs) for any IT services provided by third-party vendors.
• Consider requiring employees to sign acknowledgement forms to help ensure they are aware of adopted policies and procedures and understand what is expected of them.

Authority officials agreed with our findings and recommendations and indicated they will take corrective action.