Internal Control Annual Certification Process

The Office of Internal Controls conducts an annual certification process that leverages Sarbanes-Oxley Act best practices. The process applies to selected business processes across the university (for example, financial operations, human resources, conflict of interest, and so on). It provides reasonable assurance regarding achievement of objectives in the following categories:

  1. Effectiveness and efficiency of operation
  2. Compliance with laws and regulations
  3. Reliability of financial reporting

One of the annual certification areas is information assurance. Units are asked to certify that they are compliant, partially compliant, or non-compliant with a particular information assurance practice or process that changes every fiscal year (FY).

Information Assurance Internal Control Certification Question: Current Year

Fiscal Year 2021 Question

My unit has deployed Crowdstrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on U-M owned computers and servers identified through the ITS Information Assurance survey process, and:

  • Has plans and processes in place to deploy Falcon on machines that are currently inaccessible due to the pandemic;
  • Has plans and processes in place to support deployment in an ongoing manner.

Responses to FY21 Question

All units should be able to reply yes or partial to the FY21 question. See Guidance for the FY21 Internal Control Annual Certification Process to submit or review questions about responding to the FY21 Internal Control Certification Question.

  • Yes. My unit has deployed Crowdstrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on U-M owned computers and servers identified through the ITS Information Assurance survey process; has plans in place to deploy Falcon on machines that are currently inaccessible due to the pandemic; and has plans and processes in place to support deployment in an ongoing manner.
  • Partial. My unit has deployed Crowdstrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on some U-M owned computers and servers identified through the ITS Information Assurance survey process; has plans in place to deploy Falcon on machines that are currently inaccessible due to the pandemic; and has plans and processes in place to support deployment in an ongoing manner.
  • No. My unit has not deployed Crowdstrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on U-M owned computers and servers identified through the ITS Information Assurance survey process; has no plans in place to deploy Falcon on machines that are currently inaccessible due to the pandemic; and has no plans and processes in place to support deployment in an ongoing manner.
CrowdStrike Falcon is on ITS-managed machines. ITS has deployed Falcon to ITS-managed systems and machines, including MiWorkspace machines, Platform as a Service (PaaS) machines, and MiServer Managed OS servers. Units that use ITS-managed machines and do not manage unit-based machines and servers can reply yes to the FY21 question.

Archive of Previous Questions

Internal Control Annual Certification Question Archive

Information Assurance Certification Coordination—Who Does What

  • The certification form is sent to deans, directors, and vice presidents in early September. The signed form is to be submitted to the Office of Internal Controls by the end of September. The results are summarized and presented to the Regents in November.
  • Deans, directors and vice presidents from 46 units across campus are required to certify to their financial results and internal controls. See list of certifying units.
  • Security Unit Liaisons for each certifying unit should work with their unit's key administrative officer (included in list of certifying units) to ensure that their unit is prepared to answer the information assurance certification question with respect to the unit's level of compliance.