The Office of Internal Controls conducts an annual certification process that leverages Sarbanes-Oxley Act best practices. The process applies to selected business processes across the university (for example, financial operations, human resources, conflict of interest, and so on). It provides reasonable assurance regarding achievement of objectives in the following categories:
- Effectiveness and efficiency of operation
- Compliance with laws and regulations
- Reliability of financial reporting
One of the annual certification areas is information assurance. Units are asked to certify that they are compliant, partially compliant, or non-compliant with a particular information assurance practice or process that changes every fiscal year.
Information Assurance Internal Control Certification
Fiscal Year 2024 Question
My unit understands Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01) and has aligned its procurement processes with the requirements in Third Party Vendor Security and Compliance (DS-20).
Responses to FY24 Question
All units should be able to reply "Yes" or "Partially" to the FY24 question. See Guidance for the Internal Control Annual Certification Process in preparation for responding to the Internal Control Certification Question.
- Yes. My unit understands Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01) and has aligned all of its procurement processes with the requirements in Third Party Vendor Security and Compliance (DS-20).
- Partially. My unit understands Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01) and has aligned some of its procurement processes with the requirements in Third Party Vendor Security and Compliance (DS-20).
- No. My unit has reviewed Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01), but has not aligned its procurement process with the requirements in Third Party Vendor Security and Compliance (DS-20).
Information Assurance Certification Coordination: Who Does What
- The certification form is sent to deans, directors, and vice presidents in early September. The signed form is to be submitted to the Office of Internal Controls by the end of September. The results are summarized and presented to the Regents in November.
- Deans, directors and vice presidents from 46 units across campus are required to certify to their financial results and internal controls. See list of certifying units.
- Security Unit Liaisons for each certifying unit should work with their unit's key administrative officer to ensure that their unit is prepared to answer the information assurance certification question with respect to the unit's level of compliance.