19-192.00 Washington State Auditor: Cybersecurity Audit 11/13/2019
City of Spokane Valley
10210 E. Sprague Avenue
Spokane Valley,WA 99206
We are pleased to confirm that the the Office of the Washington State Auditor(SAO)will
conduct an information technology(IT)security audit for and at the request of City of Spokane
Valley.This letter confirms the nature and limitations of the audit, as well as responsibilities of
the parties and other engagement terms.
Our responsibilities
We will perform our IT security audit in accordance with auditing standards generally accepted
in the United States of America and the standards applicable to performance audits contained in
Government Auditing Standards,issued by the Comptroller General of the United States. Those
standards require that we plan and perform the audit to obtain reasonable assurance that evidence
is sufficient and appropriate to support the findings and conclusions.
Your responsibilities
City of Spokane Valley is responsible for the design,implementation and maintenance of internal
controls relevant to the City of Spokane Valley IT policies and processes.
You,or the person you assign,will provide the information we need for performing the audit.
You are also responsible for the accuracy and completeness of that information. You will need to
tell us about any documents,records,files or data that contains information covered by
confidentiality or privacy laws(such as information regarding IT infrastructure and security of
computer and telecommunications systems,HIPAA,CAS,or Payment Card Industry(PCI)
data).When information is transmitted electronically,you will need to use secure
communication methods;our audit team can give you access to our secure file transfer system.
Working with subject matter experts
We may be working with subject matter experts during this audit. We are responsible for
directing the scope of their work and receiving their work products.We will give you the results
of their work in unaltered form to ensure clear commun)cation, and you will have direct access to
them dining the audit so you can clarify audit results.Members of the audit team will participate
in or be present when the subject matter experts are conducting their work and during all
communications.
Audit costs and timeline
City of Spokane Valley will not be charged for the work performed in this audit. Audit work will I
take place in four phases.
1. Information request: Once we receive your signed copy of this engagement letter, we will
schedule a kick-off meeting. We will introduce the audit team, and give you a list of the materials
we need from you to begin our planning work,including questionnaires addressing specific areas
of IT security at City of Spokane Valley. If necessary,we can help you decide who should fill in
the questionnaires; you can also use the questionnaires to describe any requested information that
is not available.
2. Audit planning and scoping: As soon as we receive the requested materials and the
questionnaires, we will begin planning the audit which will include one day onsite. The planning
phase will be complete when we mutually finalize and sign the rules of engagement documents,
which includes the timeline for on-site testing.
3. Testing: Testing usually begins about four weeks after the rules of engagement are signed, to
allow time for travel arrangements. Testing will take place on-site and via remote means, and
generally takes one to two weeks on-site and one week remote. Off-site analysis takes about four
additional weeks after the completion of on-site work.We expect to deliver detailed results between
four and eight weeks after the on-site work has been completed.
4. Exit, reporting and public hearing: Once testing is completed and results delivered we will
schedule an exit conference with you to discuss the final results of the audit and provide a copy of
the public report for your formal response. We will finalize the public report about three weeks
later.
Due to the nature of this audit, the public report will be general and highly summarized to ensure
confidential data subject to RCW 42.56.420, or other information that would place the City of
Spokane Valley's information systems at risk,is not disclosed.
Within 30 days of issuing the audit report, the legislative body of the City of Spokane Valley is
required to hold a public hearing in accordance with RCW 43.09.470 due to the use of performance
audit funds authorized by initiative 900. If desired, SAO will provide an overview of the results in
the public hearing. Due to the nature of this audit, the overview will be general and highly
summarized to protect the City of Spokane Valley information technology systems. If requested,
a more detailed discussion of the results with the Commission can be provided in executive session.
We expect to conduct this audit between January 2020 and September 2020,subject to the timeline
conditions noted.We will discuss changes to the timeline in our regular meetings with you.
Expected communications
During the course of the audit, we will communicate with Greg Bingman within 24 horns of
detecting a risk we,or our subject matter experts, consider critical.
During the testing phase of the audit, we will communicate weekly on the audit status, any
significant changes in our planned audit scope or schedule, and preliminary results or
recommendations as we develop them.
It is the responsibility of Greg to provide regular feedback on issues that might affect the audit
timeline or expected resolution of critical risks.We expect Greg will also keep us informed of any
other concerns or problems that come to the City of Spokane Valley attention during the audit.
Subsequent reference,if any,to City of Spokane Valley IT security audit results will only refer to
local government IT audits in the aggregate and the public report available on our website. We will
not disclose further specifics with or without association with the City of Spokane Valley's name
without approval by the City of Spokane Valley.
By signing and returning this letter you acknowledge that the foregoing is in accordance with your
understanding. Please contact us with any questions.
We appreciate the opportunity to be of service to you and look forward to working with you and
your staff.
Sincerely,
l " `--einfrpea,,,_„. 12.2.19
Erin Laska,IT Audit Manager Date
Office of the Washington State Auditor
Client Response:
This letter correctly sets forth our understanding.
JLoAd 1i
Mark Calhoun,City Manager Da e
City of Spokane Valley