Our auditors and consultants are comprised of dedicated and experienced security and IT audit professionals with experience in mainframe systems, SQL, networking, and data center operations.

Information Technology Audit and Consulting Services

Myers and Stauffer has provided audit and/or consulting services to a wide range of federal, state, and local government agencies, including clients in Texas, California, Arizona, New York, Colorado, Indiana, Mississippi, Washington, and Virginia. Our auditors and consultants are comprised of dedicated and experienced security and IT audit professionals with experience in mainframe systems, SQL, networking, and data center operations.

Major certifications held by our IT Assurance and Security Team include those available to IT audit professionals such as Certified Information Systems Auditor (CISA), Certified Information System Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified in Risk and Information Systems Controls (CRISC), and Certified Internal Auditor (CIA). We have also been trained and certified by vendor personnel in the use of Nessus Internet Scanner™™, and have real world experience using other automated testing tools for wireless testing, Web application and database vulnerability assessment, and penetration testing.

Audits and consulting services are conducted using best practice frameworks and standards such as GAGAS (Generally Accepted Government Auditing Standards) – The Yellow Book, HIPAA (Health Insurance Portability and Accountability Act) / HITECH (Health Information Technology for Economic and Clinical Health Act, NIST (National Institute of Standards and Technology), SSAE 16 (Standard for Attestation Engagements No. 16) and GAO FISCAM (Government Accounting Office - Federal Information System Controls Audit Manual). In addition, we have audited against specific and detailed vendor guidance, such as that provided by Microsoft or Cisco, and state or county department level standards and guidance.

Myers and Stauffer staff has experience performing automated assessments and penetration testing of network vulnerabilities, Web applications, databases, and wireless network security at government agencies and for very large, complex network environments. We have performed assessments as stand-alone engagements and as a component of other engagements (such as IT audits or security reviews) for State and County Departments, Medical Facilities, Information Resource Agencies, and State Retirement Systems, to name a few). In addition, Myers and Stauffer has performed social engineering assessments to determine how vulnerable organizations are to attempts by unauthorized individuals trying to access sensitive information from system end users. We have completed assessments of wireless and physical security for state agency facilities and data centers.

Areas in which we have completed IT engagements include Service Organization Control (SOC 1, 2, or 3) Audits, Network Security, System Security, IT Administration and/or Management, Mainframe Systems and Database Administration, Application Development/Change Management, Physical Security, Data Backup & Recovery, Processing Integrity / Claims Processing, and Segregation of Duties. We can structure our information technology services as consulting services, agreed upon procedures, or attestation/audit services. We have conducted the following types of information technology assessments, reviews, and audits:

  • Comprehensive IT risk assessments of the State’s Medicaid Fiscal Intermediary and Medicaid Managed Care Organization contractors to assess compliance with IT-related contract requirements, laws, rules, and regulations (such as HIPAA); security risks; data integrity; and system processing accuracy and completeness. These risk assessments form the basis for selecting performance audit objectives of these entities.
  • Comprehensive reviews and assessments of IT general and application controls.
  • HIPAA compliance assessments, gap analysis, and audits.
  • Reviews of network, application, and database security configurations through observation of security configurations and automated testing.
  • Automated assessment of network vulnerabilities, web applications, databases, and wireless network security.
  • Reviews of security programs including personnel security, administrative security structure, and policies and procedures.
  • Reviews of information technology governance structure, policies, and procedures.
  • Reviews of System Development Life Cycle and Change Management processes and procedures.
  • Reviews of data backup and recovery, disaster recovery, and business continuity planning.
  • Support to Internal Audit departments by providing IT subject matter expertise, IT Risk Assessment, consulting services, and IT audit services.
  • SSAE 16 (SOC 1) Audits of State Medicaid Fiscal Intermediaries, Pharmacy Claims Administrators, and Electronic Benefit Transfer Administrators.
 
Myers and Stauffer understands your challenges because this is all we do.

sidebar4