• This page, Audit of the Office of the Inspector General—Review of Cybersecurity Awareness Training Objectives, Scope, and Methodology, is   offered by
  • Office of the State Auditor

Audit of the Office of the Inspector General—Review of Cybersecurity Awareness Training Objectives, Scope, and Methodology

An overview of the purpose and process of auditing the Office of the Inspector General.

Table of Contents

Overview

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Office of the Inspector General (OIG) for the period January 1, 2019 through December 31, 2020.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is our audit objective, indicating the question we intended our audit to answer and the conclusion we reached regarding the objective.

Objective

Conclusion

  1. Did OIG administer a security awareness training program in accordance with Sections 6.2.3, 6.2.4, 6.2.1.3, 6.2.7, and 6.2.8 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 and Control AT-1 of the National Institute of Standards and Technology’s Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations?

Yes

 

To achieve our audit objective, we first gained an understanding of the internal controls related to the objective by conducting interviews with OIG management and other staff members involved in administering the agency’s cybersecurity awareness training. We observed certain management activities related to the administration of this training. We also requested and reviewed OIG’s Personnel Policies and Procedures Manual to determine OIG’s cybersecurity awareness training program requirements. While reviewing the manual, we found that during the audit period, OIG had not established a formal written cybersecurity awareness training policy. We brought this matter to the attention of OIG officials, and in March 2021, after our audit, OIG incorporated a cybersecurity awareness training policy into the 2021 edition of its Personnel Policies and Procedures Manual.

Additionally, we performed the following procedures to address our audit objective.

To determine whether all OIG system users completed their cybersecurity awareness training (using a training system called KnowBe4), we obtained from OIG a list of all OIG employees during the audit period. We reviewed all OIG’s cybersecurity awareness training records and determined which OIG system users received the training during the audit period and whether they completed the training within the timeframe established by EOTSS standards.

To determine whether all new OIG employees received the cybersecurity awareness training in accordance with EOTSS requirements, we obtained from OIG a list of the 55 employees it hired during the audit period. From this list, we selected a nonstatistical, random sample of 20 individuals for testing. For each individual in our sample, we examined the orientation date and onboarding training records to determine whether s/he completed initial cybersecurity awareness training during orientation in his/her onboarding period. In addition, we requested from OIG’s Human Resources Department copies of signed Employee Acknowledgment of Receipt forms, which include the acknowledgment of OIG’s “Acceptable Use of IT Resources” policy, for all of the 20 users. We verified that there was a signature on the Employee Acknowledgment of Receipt form for each user in the sample to ensure that all users had signed the form and acknowledged the policy.

Because we used a nonstatistical approach for our audit sample, we could not project our results to the entire population of system users.

Data Reliability

OIG gave us a list of all its employees from the audit period, which it extracted from the Commonwealth’s Human Resources Compensation Management System. To assess the reliability of the data on this list, we tested for duplicate data, missing data, and data outside the audit period. We also compared the list to the list of OIG employees in the Commonwealth Information Warehouse.2

To assess the reliability of OIG’s cybersecurity awareness training records, we tested for missing and duplicate data. We also interviewed EOTSS’s director of governance, risk, and compliance and observed her exporting the training records from the system.

Based on the results of these data reliability assessment procedures, we determined that the data obtained from OIG were sufficiently reliable for the purpose of the audit.

Conclusion

Our audit revealed no significant instances of noncompliance that must be reported under generally accepted government auditing standards.

2.     According to the Office of the Comptroller of the Commonwealth’s website, the Commonwealth Information Warehouse is a system that “brings together a subset of the financial, budgetary, human resources, payroll and time reporting information maintained in dedicated and separate systems by individual agencies.”

Date published: November 5, 2021

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback