[read complete report - pdf]

Audit Objective

Determine whether the Board ensured information technology (IT) assets were properly safeguarded.

Key Findings

• Town officials did not monitor Internet usage for computer use policy (CUP) compliance.
• Town officials did not review the inventory of IT hardware and do not maintain an inventory of software or data.
• Town employees were not provided with IT security awareness training.

In addition, sensitive IT control weaknesses were communicated confidentially to Town officials.

Key Recommendations

• Design and implement procedures to monitor Internet usage for CUP compliance.
• Periodically review the inventory of IT assets and expand it to include software and data.
• Ensure that all necessary Town personnel receive IT security awareness training and that training is provided whenever the IT policies are updated.

Town officials did not agree with certain aspects of our findings and recommendations but indicated that they plan to initiate corrective action. Appendix B includes our comments on the issues raised in the Town’s response.