IT Inventory Audit

Project Overview

ITS will begin a large project to address five IT inventory audit recommendations related to purchasing, devices and inventory, to be completed by mid- to late-2025. The recommendations are the result of a report generated by the Iowa Board of Regents Office of Internal Audit. Work begins with department and campus partners in fall 2024    

Back to top

Project Update

October 2024: Committee members selected to pursue the five audit recommendations. 

January 2025: Work continues on the IT Inventory Audit project to put in place recommendations from a 2024 report released by the Office of Internal Audit. The four project workgroups focused on 1) device inventory and asset management, 2) IT purchasing policy, 3) redundant software (application rationalization) and 4) university website inventory continue to make progress.

• Device inventory and asset management: Discussions are underway for leveraging ServiceNow as the inventory platform and identifying campus roles best suited for inputting physical inventory into the system. The group is also identifying in-scope and out-of-scope devices. At this time, out-of-scope hardware will likely include audiovisual equipment and other devices not managed by MECM or JAMF.  Lastly, the group has plans to engage with campus IT professionals in 2025 to increase awareness and usage of MECM, JAMF and Microsoft Defender.
• IT purchasing policy: Workgroup members have met with the Office of University Counsel to ask questions and gain additional context of policy adjustments. To meet audit recommendations, the group is exploring updated process/procedure documentation that can be added as a resource to the existing purchasing policy and automated system process adjustments as fitting.
• Redundant software (application rationalization): With assistance from the Procurement Services department, the workgroup is using provided lists of purchases and categories to steer progress. The group is also documenting the definition of redundancy and discussing the scope of software inventory, with attention to creating a list of university software and identifying where software redundancies exist.
• Website inventory: The workgroup has kicked off meetings to identify a sustainable yet effective platform and process for maintaining a current list of ISU-owned websites.

Back to top

Project Details

Audit recommendations include: 

1. Inventory tracking: ITS will create a policy and guidelines for tracking hardware and software across the university. Inconsistent IT tracking processes currently in place can result in inconsistent security practices and do not require endpoint management software or anti-virus software to be installed.  
2. Purchasing policy: In collaboration with key stakeholders, ITS will develop a policy for technology purchases that outlines purchasing and monitoring processes for devices, software and websites. Without a central policy, risks include redundant software and purchases that do not comply with other ISU policies.   
3. Inactive devices: ITS will develop guidelines for identifying inactive devices and implement one or more processes that will disconnect inactive devices from the network. ITS was previously using a practice to remove devices, but that mechanism is no longer in place. Guidelines developed will reduce the potential risk of unpatched computers connecting to the network.  
4. Redundant software: Working with campus partners including local IT staff, ITS will provide a list of available software systems for campus to limit redundant software purchases.   
5. Website tracking: ITS will create a policy for websites to be centrally registered, along with minimum security requirements and approved platforms. The lack of a central registry of ISU-managed websites poses challenges including limited abilities for central monitoring of controls.   
    

Back to top

Schedule & Timeline

Back to top