Information Services Board AGREED-UPON PROCEDURES ENGAGEMENT
Authority for IT policies and standards are now under the Office of the Chief Information Officer. Former Information Services Board policies and standards are still in effect.
The Information Services Board's Information Technology Security Policy No. 400-P2 requires state agencies to have a compliance audit every three years. The audits are verifying agencies' compliance with IT security standards set by the Board. State agencies can conduct the audits themselves, hire a contractor, or request the State Auditor's Office conduct the audit. The State Auditor's Office will perform these as agreed-upon procedures engagements.
Agencies that want the State Auditor's Office to perform their ISB compliance engagement should download the Pre-engagement Preparation Package and complete the forms. The preparation package includes instructions for completing the forms and submitting the package to our Office.
Our Office will perform these engagements in the order in which we receive the completed preparation packages. Agencies should plan on two to three weeks from the date the package is submitted before the draft report is available. Engagements generally require 40 to 60 hours to complete, provided the preparation package is complete and all of the requirements are addressed.
The instructions identify a contact at our Office to call before submitting the package. We encourage agencies to inquire about the current billing rate and completion time during this call.