(a) The IT audit summary provided to the Department pursuant to Rule .0620 of this Section shall include:

(1) the date of the audit;

(2) the third-party audit standards by which the audit was conducted;

(3) the name, contact information, and title or role of a representative of the organization conducting the audit;

(4) the IT security audit findings; and

(5) any plan of action including a timeline to address all findings.

(b) For purposes of this Rule, "finding" means:

(1) a deficiency in internal control;

(2) noncompliance with applicable laws and rules; or

(3) instances of fraud.

History Note: Authority G.S. 10B-4; 10B-106; 10B-125(b); 10B-126; 10B-134.15; 10B-134.17; 10B-134.19; 10B-134.21; 10B-134.23;

Eff. July 1, 2025.