Internal controls are essential to the effective operation of local governments and schools. They encompass the policies, procedures and activities designed to provide reasonable assurance that operations are functioning as intended. In general, properly designed and implemented controls reduce the likelihood that significant errors or fraud will occur and remain undetected. Internal controls over IT seek to help ensure that computer systems and the data they process, transmit and store can be trusted; are available when needed; and are adequately protected from unauthorized access and use.
The governing board’s internal control responsibilities primarily involve authorization, oversight and ethical leadership. Generally, governing boards do not design internal controls or develop the written policies they adopt. The governing board instead relies upon management, primarily the chief executive officer (CEO), to create the policies needed to help ensure that operations are performed effectively and assets are safeguarded. The CEO in turn relies upon managers and department heads to recommend and implement procedures to help inform staff how to achieve objectives set forth in policies. Some local governments and schools use an IT vendor for assistance in establishing, conducting and monitoring IT internal controls.
An important way that governing boards fulfill their oversight responsibilities is by asking questions related to controls over IT systems and any key applications (e.g., financial, personnel and student information) within those systems. Depending on how IT responsibilities are assigned, the governing board’s questions might be directed to the CEO, IT manager, department head(s) or an IT vendor. Asking the right questions is not only an effective way to exercise oversight, it can be done at little or no cost. On the other hand, not asking the right questions may potentially leave weaknesses undetected and expose IT systems and data to loss or unauthorized access and use, which could be very expensive.
It is understandable that someone with little or no IT knowledge might be apprehensive about asking questions concerning IT internal controls. However, a governing board has responsibility for the oversight of the local government’s or school’s IT operations – whether or not its members are knowledgeable about or feel comfortable discussing IT. As you will note after reviewing the IT Governance Security Self-Assessment appended to this publication, a background in IT is not necessary to ask questions about key IT internal controls and understand the answers. Extensive IT knowledge is also not necessary to perform certain procedures (e.g., review documents or reports) that can corroborate the answers to the self-assessment questions and help you better understand the effectiveness of the internal controls.
The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf