Tarrant County College District Compliance Recommendations Discussion

Learning Objectives and Outcomes

Identify correct and incorrect compliance recommendation statements in an auditing report.

Assignment Requirements

Audit final reports may include recommendations supported by the audit findings. The recommended actions should be logically tied to a finding for which the problem has also been identified. Recommendations should be specific, sensible, cost-effective, and actionable.

• Actionable recommendations should not include statements such as “controls should be strengthened.” Tactical recommendations are important and needed. However, the report should also provide strategic recommendations that consider the broader picture of the organization’s objectives and how identified gaps or vulnerabilities affect the organization’s ability to achieve those goals.

Discuss and compose examples of at least one correct and one incorrect compliance recommendation statement for the following:

Retailer PCI DSS compliance finding: Company does not use vendor-supplied defaults for system passwords and other security parameters

Health care organization HIPAA finding: E-mails with personally identifiable information (PII) and protected health information (PHI) can be sent out of the organization without screening

Financial institution: Institution does not have a process in place for logging and auditing access control lists of users of the 401(k) database

Compose a list that includes the correct and incorrect compliance recommendation statements for each type of organization.