IT Audit Services

The West Virginia Office of Technology (WVOT) Office of Information Security and Controls (OISC) is responsible for establishing, maintaining, and managing an objective and internally independent internal Information Security Audit Program.

Hand on Mouse Image 

This program serves the Executive Branch by examining, evaluating, and reporting on information technology (IT) applications, systems, operations, processes, and practices to provide reasonable assurance that security controls will:

  • Safeguard information assets and protect privacy;
  • Preserve the integrity and reliability of data;
  • Function as intended to achieve the entity’s objectives; and
  • Comply with standards, policies, and regulations.

Audit efforts are focused on those operational areas presenting the highest degree of risk, as well as the greatest potential for benefit to the Executive Branch. Internal Audit recommendations are designed to help Executive Branch agencies manage operations more efficiently, resulting in a more effective use of resources.

The WVOT Internal Audit Program follows the Professional Standards of the Practice of Internal Auditing as issued by the Information Systems Audit and Control Association (ISACA), the Institute of Internal Auditors (IIA), and the International Information Systems Security Certification Consortium (ISC²) Additionally, the WVOT Audit Program adheres to information security standards as published by the Information Standards Organization (ISO). The WVOT Internal Audit Program reports functionally and administratively to the Chief Information Security Officer (CISO).

Types of Audit Engagement

State Agencies
Client Request
WVOT Self Assessment

Third Party
External (Outside Entities)

Agency must contact Internal Audit prior to audit engagement Internal Audit will coordinate with third-party auditors
What We Audit

The types of audits performed by the WVOT Internal Audit Program include, but are not limited to, the following:The types of audits performed by the WVOT Internal Audit Program include, but are not limited to, the following:

The types of audits performed by the WVOT Internal Audit Program include, but are not limited to, the following:
  • Account Management
  • Application Controls
  • Business/Technical Processes
  • Certification and Accreditation
  • Change Control
  • Configuration Management
  • Control Procedures and Practices
  • Data Centers/Facilities
  • Data Management
  • Desktop Practices
  • Disaster Recovery
  • End of Life Procedures
  • Incident Management
  • Internal Controls for Technology
  • Mobile Devices and Media
  • Networks
  • Policy and Regulatory Compliance
  • Servers
  • Technology Acquisitions
  • Telecommunications
  • Other Resources
The Audit Process

The process may begin with discussions held among various Secretaries and Directors across the Executive Branch.  During these meetings, management indicates issues, processes, or areas that they believe may benefit from a review by the Internal Audit Program.

Several factors can influence the scheduling of audits.  They include: the degree of risk or exposure to loss, the type of audit, and the current and planned work in other audit projects requiring substantial time commitments.

Audit Timeframes
Audits can last from a few days to several months, depending on the scope and objectives of the audit work.  The auditor(s) assigned to your area will give you an estimate of the time they will need to complete the audit, after the planning phase is complete.

How the Audit Will Affect the Agency
Like any special project, an audit affects the area's routine to some extent.  The WVOT Internal Auditors will make every effort to minimize this disruption and cooperate with the agency to make the process as smooth as possible.

For more information or to request an audit: