ISA-2019-2000

The results of our audit identified deficiencies in internal control over information technology governance and security management that are considered reportable under Government Auditing Standards as follows: (1) Administrative Office of the Courts (AOC) did not ensure that more than half of its security management policies and programs were approved and implemented, (2) AOC did not develop and implement an access control policy to establish requirements for controlled logical access to information assets, and (3) AOC did not implement a security awareness program to ensure security is considered consistently throughout the organization. Details about each deficiency are provided in the Findings and Recommendations section of the report.