(a) The IT audit summary provided to the Department pursuant to Rule .0620 of this Section shall include:
- (1) the date of the audit;
- (2) the third-party audit standards by which the audit was conducted;
- (3) the name, contact information, and title or role of a representative of the organization conducting the audit;
- (4) the IT security audit findings; and
- (5) any plan of action including a timeline to address all findings.
(b) For purposes of this Rule, "finding" means:
- (1) a deficiency in internal control;
- (2) noncompliance with applicable laws and rules; or
- (3) instances of fraud.
History Note: Authority G.S. 10B-4; 10B-106; 10B-125(b); 10B-126; 10B-134.15; 10B-134.17; 10B-134.19; 10B-134.21; 10B-134.23;
Eff. July 1, 2025.