Centralized IT Audit Service

generic network product image

Price: No Cost

Unit of Measure: Usage Based

Pricing Type: No Charge

Billing Cycle: N/A

Service Lead: Ed Miller Edward.Miller@vita.virginia.gov


Agencies may contract for IT security audits to be conducted through this service.  The audits will be performed in accordance with commonwealth IT auditing standards and will be compliant with the requirement to have a sensitive IT system audited (at least once every 3 years).

For additional information visit: ​Commonwealth Security and Risk Management.

How to Order

Each engagement will be priced depending on type and complexity. Please contact your Department of Planning and Budget (DPB) analyst for funding information for your agency.

Your agency head or AITR should complete form # 3-004 - Standard Form for IT Security Audit Services found in the Service Catalog Form Library.  This form will serve as the formal agreement between VITA and your agency.  The VITA CSRM analyst assigned to your agency can assist you with completing the order form. If you do not know your CSRM analyst, please send contact CSRM at commonwealthsecurity@vita.virginia.gov.  Forms should be submitted to VITA OneStop (VITAOneStop@vita.virginia.gov).

Need help?

Frequently Asked Questions

Click on question to show or hide answer.

An IT Security Audit is an examination, evaluation, and a report on the agency's use of an information technology (IT) system to provide reasonable assurance that security controls are implemented and operating as intended. Audits may also include an examination and evaluation of related systems, operations, processes, and practices.

An audit of a sensitive IT system is required at least once every 3 years. Sensitive systems may need to be audited more frequently commensurate with the system's risk or if significant changes have occurred to the system, its use or business purpose, or the environment in which it operates.

Review the status of your system using CSRM's governance risk and compliance tool – Archer or contact Commonwealth Security and Risk Management (commonwealthsecurity@vita.virginia.gov).

Each engagement will be priced depending on type and complexity. Please contact your Department of Planning and Budget (DPB) analyst for funding information for your agency.

No, an agency may choose to use the funding provided to contract with an outside audit firm or else hire staff or contract labor. However the agency must submit an updated IT Security Audit plan. CSRM will review and determine if the plan is acceptable and whether the plan will bring the agency in compliance of the audit requirements mandated by SEC501, the IT Security Standard.

Yes. VITA CSRM will assist you in identifying the systems requiring audits, the scheduling of audits according to risk or resource factors and in choosing the right scope of audit for your system.

Based on the size and complexity of the system and the agency's ability to provide the auditors all required documentation and information an audit can take 2 - 3 months.

Audits will be scheduled as CSRM resources become available. We will coordinate with the agency to ensure that the audit does not overlap or interfere with critical business periods.

Agencies are responsible for providing adequate workspace for auditors while on customer site; assisting auditors in providing requested information as well as prompt and complete participation in auditor interviews. In addition, all costs and processes related to any corrective action or remediation plans resulting from the audits performed by VITA are the responsibility of the customer.

An auditor will come to your agency and complete field work and analysis. After completing field work and analysis, the auditor will present a first draft of findings and recommendations to the agency. A final report will be issued to the agency head with the auditor's findings and recommendations as well as the agency's responses.

Agencies are required to submit a corrective action plan to CSRM following the completion of the audit. Each quarter an agency is required to submit an updated corrective action plan showing remediation work to-date.

The agency head or Agency Information Technology Resource (AITR) is authorized to place orders for information technology services.

Send VITA Onestop an email: vitaonestop@vita.virginia.gov to collaborate or handle your order.