Full Audit Report of the Salt Lake County PCI Data Security Standards
Auditor
Auditor
Posted on January, 10 2023
Entity: Fleet Management
We conducted a PCI audit of all 19 County agencies and three non-county entities that accept payment cards to ensure they are in compliance with Countywide policy 1400-7, Payment Card Industry Data Security Standard Policy.
We conducted a PCI audit of all 19 County agencies and three non-county entities that accept payment cards to ensure they are in compliance with Countywide policy 1400-7, Payment Card Industry Data Security Standard Policy. We determined that each was using the correct self-assessment questionnaires and/or attestation of compliance forms. We had a single moderate-risk finding in which we noted a contract was not in compliance with the above policy by the stated deadline of September 30, 2022, but the issue was resolved the following week.
This audit is authorized pursuant to Utah Code Ann. 17-19a-204 “Auditing Services.” We conducted this audit in accordance with generally accepted government auditing standards (GAGAS), except for the requirement in GAGAS 3.18, which states, “In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity.” GAGAS states in 3.21, “Independence comprises the following:
a. Independence of mind: The state of mind that permits the conduct of an engagement without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism.
b. Independence in appearance: The absence of circumstances that would cause a reasonable and informed third party to reasonably conclude that the integrity, objectivity, or professional skepticism of an audit organization or member of the engagement team had been compromised.
Our state statute, 17-19a-206 Performance audit services, reads:
(1) A county auditor shall, under the direction and supervision of the county legislative body or county executive and subject to Subsections (1)(b) and (2), provide performance audit services for a county office, department, division, or other county entity. A county auditor may not conduct a performance audit of the auditor’s own office.
(2) The county legislative body or county executive shall establish the goals and nature of a performance audit and related services.
Although this audit is not a performance audit, GAGAS 3.19 states: “auditors and audit organizations should avoid situations that could lead reasonable and informed third parties to conclude that the auditors and audit organizations are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the engagement and reporting on the work.”
A reasonable and informed third party is defined by GAGAS: “As evaluated by a hypothetical person, a person who possesses skills, knowledge, and experience to objectively evaluate the appropriateness of the auditor’s judgments and conclusions. This evaluation entails weighing all the relevant facts and circumstances, including any safeguards applied, that the auditor knows, or could reasonably be expected to know, at the time that the evaluation is made.”
Although we are working with the State Legislature, County Council and Mayor, Utah Association of Counties, Utah Association of CPAs, to change this statute, we currently have no control or ability to change this statute. As such there is a risk that readers of our report would conclude that we are not capable of exercising objective and impartial judgment on the audit subject matter.
GAGAS standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. Except for the independence issues above, we believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.”
We appreciate the leaders and team members at the various agencies and departments who shared their time and knowledge with us during the audit.
Please contact me at 385-468-7200 with any questions.
Chris Harding, CPA, CFE, CIA
Auditor