Skip to main content
Office of Internal Auditing

Internal Controls: Information Technology and Data Management

Below is a listing of internal control (IC) best practices and the related University policy, if applicable:

IC 1: The department has a documented business continuity and disaster recovery plan.

The department should develop and maintain a business continuity and disaster recovery plan to manage unexpected operational and technology events. These plans should be established in collaboration with IT and updated annually.

IC 2: Onboarding/offboarding procedures have been established to grant and remove employee access to University and departmental systems.

The department should develop and document standard procedures/guidelines for granting and removing employee access to University and departmental systems. The development of standard procedures will assist in the consistent granting and removal of employee access to University systems.

IC 3: Access to business systems and applications is limited to those with a business need.

See University Policy 9.8 Security of Information Technology Resources and Systems. ISU Information Technology Resources and Systems are owned by the University and are to be used in support of the educational, research and public service mission of the University. All individuals granting access to ISU Information Technology Resources and Systems shall be required to perform authentication and authorization processes in accordance with University procedures.

IC 4: Access to business systems and applications is restricted by function based on user role.

See University 9.8 Security of Information Technology Resources and Systems. ISU Information Technology Resources and Systems are owned by the University and are to be used in support of the educational, research and public service mission of the University. All individuals granting access to ISU Information Technology Resources and Systems shall be required to perform authentication and authorization processes in accordance with University procedures.

IC 5: System access reviews are documented and performed annually.

To prevent unauthorized access or disclosure of confidential information, documented access reviews must be completed annually.

IC 6: Policies have been established to outline business need and proper conduct for use of social media platforms.

The department should develop staff training and guidelines for any users of social media on the University's behalf. Accounts should have guidelines for posting to ensure appropriate content and use. Procedures should be developed for password management and changes upon staff departure to prevent unauthorized access.