| TABLE 2.1 INTERNAL CONTROL QUESTIONS |
| We Ask… |
So that we can… |
Applicable Programs |
| Do you preserve, protect, and manage all fiduciary trust records created and/or maintained by the Tribe during management of trust programs? (25 CFR §1000.355(d)(7); Funding Agreement - Trust Records Management) |
This question is asked to determine and assess the internal controls of compacting tribes to ensure they are preserving, protecting, and managing all fiduciary trust records created and/or maintained by the Tribe, which is also a requirement stated in their funding agreements. |
Acquisitions & Disposals, Agriculture, Appraisals, Business Leases, Beneficiary Processes Program, Grazing, Forestry, Land, Title, & Records Office, Oil & Gas, Probate, Residential Leases, Sand & Gravel, Supervised Accounts, ROW |
| If yes, please explain. |
This question is asked to determine and assess the internal controls of how the tribes preserve, protect, and manage all fiduciary trust records created and/or maintained by the tribes during management of trust programs which is a requirement stated in their funding agreements. |
Acquisitions & Disposals, Agriculture, Appraisals, Business Leases, Beneficiary Processes Program, Grazing, Forestry, Land, Title, & Records Office, Oil & Gas, Residential Leases, Sand & Gravel, Supervised Accounts, ROW |
| If no, please explain. |
This question is asked to determine and assess what the tribe does to preserve protect, and manage all fiduciary trust records created and/or maintained by the Tribe during management of trust programs. |
Appraisals, Probate |
| Are key duties and responsibilities divided or segregated among different people to reduce the risk of error, waste, or fraud, i.e., conflicts of interest, no one person is allowed to control all key aspects of a transaction? (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of compacting tribes to ensure that key duties and responsibilities are divided or segregated among different people to reduce the risk of error, waste, or fraud. |
Acquisitions & Disposals, Agriculture, Appraisals, Business Leases, Forestry, Grazing, Land, Title, & Records Office, Oil & Gas, Probate, Residential Leases, ROW, Sand & Gravel, Supervised Accounts, Trust Management, Beneficiary Processes Program |
| If yes, upload the Tribe's policy or desk operating procedures. |
This question is asked to determine and assess the internal controls of compacting tribes to ensure that key duties and responsibilities are divided or segregated among different people to reduce the risk of error, waste, or fraud. |
Acquisitions & Disposals, Ag, Forestry, Grazing, LTRO, Oil & Gas, Probate, S&G |
| If no, please explain. |
This question is asked to determine and assess the internal controls of compacting tribes to ensure that key duties and responsibilities are divided or segregated among different people to reduce the risk of error, waste, or fraud. |
Acquisitions & Disposals, Ag, BPP, Forestry, Grazing, LTRO, Oil & Gas, Probate, RL, ROW, S&G, Supervised Accounts |
| Do tribal employees have access to Trust Asset & Accounting Management System (TAAMS) at the Tribe's location for this particular program? |
This question is asked to determine if tribes have access to TAAMS. Tribes who have access to TAAMS usually keep better records of transactions and have access to more information than tribes who do not. This also assists the auditor in determining if the tribe is familiar with the transaction process and if they take any part in inputting information in TAAMS. |
Acquisitions & Disposals, Agriculture, Appraisals, Beneficiary Processes Program, Business Leases, Forestry, Grazing, Land, Title, & Records Office, Oil & Gas, Probate, Residential Leases, Rights of Way, Sand & Gravel |
| If no, please explain how the Tribe determines land ownership. |
This question is asked to determine and assess the internal controls of how the tribe determines and verifies land ownership of transactions. Land ownership is usually generated and verified by a Title Status Report (TSR) in TAAMS. If the Tribe does not have access to TAAMS to generate a TSR or does not have a TSR generated, the auditor needs to determine how land ownership is correctly determined. |
Acquisitions & Disposals, Agriculture, Beneficiary Processes Program, Business Leases, Forestry, Grazing, Oil & Gas, Probate, Residential Leases, Rights of Way, Sand & Gravel |
| Do you maintain originals/copies of all processed/approved documents? (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls if the compacting tribe maintains originals and/or copies of all processed/approved fiduciary trust records. |
Acquisitions & Disposals, Agriculture, Appraisals, Beneficiary Processes Program, Business Leases, Forestry, Grazing, Land, Title, & Records Office, Oil & Gas, Residential Leases, Rights of Way, Sand & Gravel, Supervised Accounts |
| If no, please explain. |
This question is asked to determine and assess the instances when the compacting tribe does maintain originals and/or copies of all processed/approved fiduciary trust records. |
Acquisitions & Disposals, Agriculture, Appraisals, Beneficiary Processes Program, Business Leases, Forestry, Grazing, Land, Title, & Records Office, Oil & Gas, Residential Leases, Rights of Way, Sand & Gravel, Supervised Accounts |
| Do you utilize Bureau of Indian Affairs (BIA) handbooks for policies & procedures in managing this function/program? (25 CFR §1000.355(d)(7)) |
This question is asked to determine if the compacting tribe uses BIA handbooks as policies and procedures in managing a particular function/program. If the compacting tribe uses BIA handbooks, this helps the auditor identify the internal controls the compacting tribe is using. |
Acquisitions & Disposals, Agriculture, Appraisals, Beneficiary Processes Program, Business Leases, Forestry, Grazing, Land, Title, & Records Office, Oil & Gas, Probate, Residential Leases, Rights of Way, Sand & Gravel, Supervised Accounts, Wildland Fire |
| If no, has the Tribe developed its own policies and procedures? If yes, please upload Tribe's policies and procedures. |
This question is asked to determine if the compacting tribe developed its own policies and procedures and for the compacting tribe to provide them. This assists the auditor identify the internal controls the compacting tribe is using. The auditor will also determine and assist if no internal controls are used to manage a function/program if the compacting tribe has not developed its own policies and procedures. |
Grazing, Probate, Rights of Way, Acquisitions & Disposals, Agriculture, Appraisals, Beneficiary Processes Program, Business Leases, Forestry, Land, Title, & Records Office, Oil & Gas, Residential Leases, Sand & Gravel, Supervised Accounts, Wildland Fire |
| Are trust transactions submitted to the Land, Title, & Records Office (LTRO) to be recorded? (25 CFR §150.6) |
This question is asked to determine and assess if the compacting tribe submits trust transactions to the LTRO. All transactions should be submitted to LTRO for recordation as required by 25 CFR §150.6. |
Acquisitions & Disposals, Agriculture, Business Leases, Forestry, Grazing, Oil & Gas, Residential Leases, Rights of Way, Sand & Gravel, Appraisals |
| If yes, does the Tribe or the BIA send trust transactions to the LTRO? |
This question is asked to determine and assess which party submits the trust transactions to the BIA. This information is important to determine which party is responsible for instances when trust transactions are submitted to LTRO untimely. |
Forestry, Rights of Way, Acquisitions & Disposals, Agriculture, Business Leases, Grazing, Oil & Gas, Residential Leases, Sand & Gravel |
| Do you utilize an internal control to help ensure accuracy in the processing of trust transactions? (e.g. policy, checklist, desk operating procedures) If yes, please upload what is utilized.(25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess whether the tribe has internal controls implemented for processing transactions. |
Rights of Way, Acquisitions & Disposals, Agriculture, Beneficiary Processes Program, Business Leases, Forestry, Grazing, Oil & Gas, Probate, Residential Leases, Sand & Gravel, Supervised Accounts, Land, Title, & Records Office |
| If no, please explain how the Tribe ensures accuracy in the processing of trust transactions. |
This question is asked to determine and assess how the compacting tribe ensures accuracy in the processing of trust transactions without implemented internal controls. |
Acquisitions & Disposals, Agriculture, Beneficiary Processes Program, Business Leases, Forestry, Grazing, Land, Title, & Records Office, Oil & Gas, Probate, Residential Leases, Rights of Way, Sand & Gravel, Supervised Accounts |
| Has an agricultural resource management and monitoring plan (ARMMP) been developed? If yes, please upload top page, table of contents and signature page. (25 CFR §162.201) |
This question is asked to determine and assess if a compacting tribe has an ARMMP and to provide an upload to verify that the compacting tribe has an ARMMP which is required per 25 CFR §162.201 and 25 CFR §166.311. |
Agriculture & Grazing |
| Is there a policy and/or procedure that restricts trust records so that only authorized personnel have access to them? If yes, upload a copy. (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are properly maintained and only authorized personnel have access to them. |
Beneficiary Processes Program, Acquisitions & Disposals, Agriculture, Business Leases, Forestry, Grazing, Land, Title, & Records Office, Oil & Gas, Probate, Residential Leases, Rights of Way, Sand & Gravel |
| If yes, upload a copy. |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are properly maintained and only authorized personnel have access to them. |
Beneficiary Processes Program |
| If no, please explain |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are properly maintained and only authorized personnel have access to them. |
Beneficiary Processes Program |
| Do you have a policy that establishes the timeframes for the processing of trust transactions? If yes, upload a copy. (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that trust transactions are processed in a reasonable amount of time. |
Forestry, Rights of Way, Acquisitions & Disposals, Agriculture, Business Leases, Grazing, Land, Title, & Records Office, Oil & Gas, Probate, Residential Leases, Sand & Gravel, Supervised Accounts, Beneficiary Processes Program |
| If no, please explain. |
This question is asked to determine and assess the reason the compacting tribe does not have a policy to establish timeframes for the processing of transactions. |
Forestry, Rights of Way, Acquisitions & Disposals, Agriculture, Business Leases, Grazing, Oil & Gas, Probate, Residential Leases, Sand & Gravel, Supervised Accounts, Beneficiary Processes Program |
| Are you aware of any instances of fraud, waste or abuse affecting trust assets/programs? |
This question is asked to determine and assess any instances of fraud, waste, or abuse that are relevant or may affect compacted trust activities. |
IT, Acquisitions & Disposals, Agriculture, Appraisals, Beneficiary Processes Program, Business Leases, Forestry, Grazing, Land, Title, & Records Office, Oil & Gas, Probate, Residential Leases, Rights of Way, Sand & Gravel, Supervised Accounts, Trust Management, Wildland Fire |
| If yes, please explain these instances. |
This question is asked to determine and assess any instances of fraud, waste, or abuse that are relevant or may affect compacted trust activities. |
IT, Acquisitions & Disposals, Agriculture, Appraisals, Beneficiary Processes Program, Business Leases, Forestry, Grazing, Land, Title, & Records Office, Oil & Gas, Probate, Residential Leases, Rights of Way, Sand & Gravel, Supervised Accounts, Trust Management, Wildland Fire |
| Do you have an approved National Environmental Policy Act (NEPA) document or decision document for each trust transaction (Environmental review)? (25 CFR §162.339 and 162.340(b)) |
This question is asked to determine and assess if a NEPA document is approved for each trust transactions as required by 25 CFR §162.339, 25 CFR §162.213(c)), 25 CFR 162.340(b), 25 CFR §162.438, 25 CFR §162.439, 25 CFR §163.34, 25 CFR §166.313, 25 CFR §169.102(8), 25 CFR §211.7 and §212.7 |
Residential Leases, Acquisitions & Disposals, Business Leases, Forestry, Grazing, Rights of Way, Oil & Gas, Sand & Gravel, Agriculture |
| If no, please explain. |
This question is asked to determine and assess if a NEPA document is approved for each trust transactions as required by 25 CFR §162.339, 25 CFR §162.213(c)), 25 CFR 162.340(b), 25 CFR §162.438, 25 CFR §162.439, 25 CFR §163.34, 25 CFR §166.313, 25 CFR §169.102(8), 25 CFR §211.7 and §212.7 |
Oil & Gas and Sand & Gravel |
| Is Secretarial approval obtained for all trust transactions? (25 CFR §163.20) |
This question is asked to determine and assess if all trust transactions are approved by the Secretary as required by 25 CFR §162.215, 25 CFR §163.20, (25 CFR §1000.355(d)(7), 25 CFR §211.4, 25 CFR §162.340, 25 CFR §163.20, 25 CFR §163.438, 25 CFR §166.203, 25 CFR §169.123(b)(2), 25 CFR §211.20(a), and 25 CFR §212.20(c)). |
Supervised Accounts, Agriculture, Residential Leases, Acquisitions & Disposals, Forestry, Business Leases, Grazing, Rights of Way, Sand & Gravel, Oil & Gas |
| If no, under what authority are the trust transaction approved. Upload supporting documentation (e.g Hearth Act) |
This question is asked to determine and assess the compacting tribe's explanation of the approval of trust transactions without Secretarial approval. |
Forestry, Business Leases, Acquisitions & Disposals, Oil & Gas, Sand & Gravel, Supervised Accounts, Residential Leases, Agriculture, Rights of Way |
| If no, please explain and provide document of the authorization to approve grazing permits. (Permit could be authorized by a charter approved by BIA under 25 USC §477 or BIA approval is not required under other applicable federal law (25 CFR §166.203) |
This question is asked to determine and assess the compacting tribe's explanation of the approval of trust transactions without Secretarial approval. |
Grazing |
| If yes, is BIA approval obtained on the permit before the permittee has taken possession or used the land? (25 CFR §166.212) |
This question is asked to determine and assess the compacting tribe's explanation of the approval of trust transactions without Secretarial approval. |
Grazing |
Do you maintain a log to document every transaction that affects land title? If yes, please upload log of approved transactions within scope of review.
(25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that adequate tracking of trust transactions are performed. |
Land, Title, & Records Office, Acquisitions & Disposals |
| If yes, please upload a log of approved transactions within scope of review. |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that adequate tracking of trust transactions are performed. |
Acquisitions & Disposals, Ag, Appraisals, Forestry, Grazing, LTRO, O&G, Probate, RL, ROW, S&G, Supervised Accounts |
| Does the Tribe have a policy that addresses instances of trespass? If yes, please upload policy. (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure policies and procedures exist and are utilized for instances of trespass. |
Forestry, Agriculture, Grazing |
| If no, explain what the Tribes does in instances of trespass. (25 CFR §162.023) |
This question is asked to determine and assess the actions taken by the compacting tribe when a trespass occurs without written policies and procedures and determine if they are adequate as per 25 CFR §162.02325 and CFR §166.800. |
Forestry, Agriculture, Grazing |
| Have you deviated from the ARMMP? (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess whether the compacting tribe deviated from the ARMMP. This question will assist the auditor to identify deviations from the ARMMP and to determine whether these deviations are appropriate and have been approved |
Agriculture, Grazing |
| If yes, how are deviations from the ARMMP documented? Please explain and upload support. (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the documentation of deviations from the ARMMP and to determine whether these deviations have been carried out appropriately. |
Agriculture, Grazing |
| Does tribal staff send out notifications to direct pay lessee(s) to make payment(s) to the lockbox instead of the decedent? (25 CFR §§162.226 (c)(1) |
This question is asked to determine and assess whether the compacting tribe sends notifications to direct pay lessees to make payments to the lockbox instead decedents who have leases or rights-of-way as required by 25 CFR §§162.226 (c)(1), 25 CFR §§162.324 (c)(5)(ii), 25 CFR §§162.424 (c)(5)(ii), 25 CFR §§166.413 (c)(1), and 25 CFR §§169.116 (c)(5)(ii) |
Agriculture, Residential Leases, Business Leases, Grazing, Rights of Way |
| If no, please explain. |
This question is asked to determine and assess what the compacting tribe does in instances in which decedents with leases or rights-of-ways do with direct-pay lessee payments. If lessees continue to pay by direct-pay, there is a risk of the decedent not receiving the payments and any payments will not be distributed to heirs if payments are sent to the lockbox. |
Agriculture, Residential Leases, Business Leases, Rights of Way |
| Have there been any lease violations? (25 CFR §162.251) |
This question is asked to determine and assess if there are any lease violations during the evaluation period and to ensure that if lease violations exists, the compacting tribe followed 25 CFR for address these violations correctly as required by 25 CFR §162.251, 25 CFR §162.365, 25 CFR §162.465, 25 CFR §166.703, 25 CFR §211.55 and §212.55. |
Agriculture, Residential Leases, Business Leases, Grazing, Oil & Gas, Sand & Gravel |
| If yes, please explain the violation(s) and the action taken. (25 CFR §162.251) |
This question is asked to determine and assess the violations and the actions taken for these violations or if no action was taken. This will assist the auditor to determine if the compacting tribe performed the correct actions to address the violations as required by 25 CFR §162.251, 25 CFR §162.365, 25 CFR §162.465, 25 CFR §166.703, 25 CFR §211.55 and §212.55. |
Residential Leases, Agriculture, Business Leases, Grazing |
| If yes, if lease violations were not corrected within 30 days, did management cancel the permit/lease, or issue an order of cessation of operations? (25 CFR §§211.54 and 212.54) |
This question is asked to determine and assess the violations and the actions taken for these violations or if no action was taken. This will assist the auditor to determine if the compacting tribe performed the correct actions to address the violations as required by 25 CFR §162.251, 25 CFR §162.365, 25 CFR §162.465, 25 CFR §166.703, 25 CFR §211.55 and §212.55. |
Oil & Gas and Sand & Gravel |
| If no, please explain. |
This question is asked to determine and assess the violations and the actions taken for these violations or if no action was taken. This will assist the auditor to determine if the compacting tribe performed the correct actions to address the violations as required by 25 CFR §162.251, 25 CFR §162.365, 25 CFR §162.465, 25 CFR §166.703, 25 CFR §211.55 and §212.55. |
Oil & Gas and Sand & Gravel |
| Is a Fair Market Value Appraisal or waiver utilized for every transaction? (25 CFR §162.211) |
This question is asked to determine and assess whether the compacting tribe is obtaining an appraisal to determine Fair Market Value or obtain a waiver for each trust transaction as required by 25 CFR §162.211, 25 CFR §162.322, 25 CFR §162.421, 25 CFR §169.114. |
Agriculture, Residential Leases, Business Leases, Rights of Way |
| If no, please explain. |
This question is asked to determine and assess what the compacting tribe does when they do not obtain an appraisal to determine Fair Market Value or obtain a waiver. |
Agriculture, Residential Leases, Business Leases, Rights of Way |
| Is a bond collected on all leases? (25 CFR §162.234 & 25 CFR §162.235) |
This question is asked to determine and assess if the compacting tribe ensures that bonds are collected on all leases as required by 25 CFR §162.234, CFR §162.235, 25 CFR §162.434, 25 CFR §166.600, 25 CFR §211.24, and §212.24. |
Agriculture, Business Leases, Grazing, Sand & Gravel |
| If no, please explain. |
This question is asked to determine and assess why the compacting tribe does not collect bonds on all leases. |
Agriculture, Business Leases, Grazing, Sand & Gravel |
Do you maintain a log to document every transaction? If yes, please upload a log of approved transactions within scope of review.
(25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that adequate tracking of trust transactions are performed. |
Probate, Supervised Accounts, Appraisals |
Do you maintain a log to document every transaction that generates trust income? (e.g. agriculture leases/permits)
(25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that adequate tracking of trust transactions are performed. |
Ag, Forestry, Grazing, O&G, S&G |
Do you maintain a log to document every transaction that encumbers trust land?
(25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that adequate tracking of trust transactions are performed. |
Business Leases, Residential Leases, Rights-of-Way |
| Are Trust records restricted so that only authorized personnel have access to them? (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that adequate tracking of trust transactions are performed. |
Supervised Accounts |
| TABLE 2.1 IT |
|
We Ask… |
So that we can… |
| 1 |
Is system access reviewed at least annually, by a supervisor or manager, to ensure users only have access to the systems, applications, and information they need to perform their duties? (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by reviewing system access periodically to ensure users only have access to systems, applications, and information they need to perform their duties. |
| 2 |
Is individual authentication required to access the system (examples: username and password, two-factor authentication, bio-metrics)? (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by requiring individual authentication to access the system. |
| 3 |
Are shared/group accounts allowed? (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensure that there are no shared/group accounts. |
| 4 |
Are there policies and procedures documented for access control identification and authentication that can be made available? (If so, request a copy) (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring that there are policies and procedures for access control identification and authentication. |
| 4a |
If yes, how does the Tribe verify that the policies and procedures are being followed related to access control, identification and authentication? (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to verify if and how policies and procedures are being followed. |
| 5 |
Does the Tribe collect and review the audit logs for these security solutions on a regular basis? Are the logs for these devices reviewed? |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring that the tribe collects and reviews audit logs on a regular basis. |
| 6 |
Is a current hardware and software inventory maintained on the system? (examples: anti-virus software, firewalls, intrusion detection devices/software, encryption)? |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring that current hardware and software inventory is maintained. |
| 7 |
Are there procedures for decommissioning equipment and sanitizing media? If yes, please upload. |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring that procedures for decommissioning equipment and sanitizing media exist to prevent disclosing fiduciary trust records. |
| 8 |
What system hardening/security configuration guides are followed for operating systems and network devices? (i.e., Stig, Baseline, Secure Configurations) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring that system hardening/security configuration guides exist and are adhered to for operating systems and network devices. |
| 9 |
Are vulnerability scans or security penetration tests performed quarterly or semi-annually? |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring vulnerability scans or security penetration tests are performed quarterly or semi-annually. |
| 10 |
Is any trust transaction or other Personal Identifiable Information (PII) electronically transferred or provided to an external party such as auditors or other governmental entities? (25 CFR §1000.355(d)(7)) |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring that PII is not transferred to external parties. |
| 10a |
If yes, is all electronic data containing trust transaction or other PII encrypted prior to transmittal? If so, what software is used and what type of encryption method is used (i.e. WinZip AES 256-bit)? |
This question is asked to determine and assess if PII is encrypted with it is electronically transferred to external parties. Encrypting PII when it is transferred lowers the risk of disclosing information unintended recipients or users. |
| 11 |
Are employees required to take security training? If so, how is it accomplished and documented? |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring tribal employees participate in security trainings. |
| 12 |
Do users have to acknowledge Rules of Behavior when accessing the system? If yes, please upload. |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring that a Rules of Behavior acknowledgement when accessing the system. |
| 13 |
Are there any policies and procedures for the physical safeguards to protect electronic trust or financial transaction-related data from theft, unauthorized access, or environmental damage (examples: alarms, badge readers, locks, safes, network servers secured in a room with limited controlled access, laptops and tablets secured when not in use)? If yes, upload. |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring policies and procedures for the physical safeguards to protect electronic trust or financial transaction-related data from theft, unauthorized access, or environmental damage exist. |
| 14 |
Are systems protected by uninterruptible power supplies (UPS) to prevent damage from lightning and power outages? |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring systems are protected by uninterruptible power supplies to prevent damage from lightning and power outages. |
| 15 |
To protect from environmental threats, such as flood and fires, what is the backup and restoration policy and procedure for trust or financial transaction-related data? Please upload backup and restoration policy. |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring there is a backup and restoration policy and procedure to protect from environmental threats such as flood and fires. |
| 16 |
What level of backups are done daily, weekly, monthly? |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring backups are performed daily, weekly, and monthly. |
| 17 |
Is there an off-site emergency backup storage location? |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring there is an off-site emergency backup storage location. |
| 17a |
If yes, where are the backups stored? Are they stored offsite at an emergency back-up location (i.e. in the cloud or off-site)? |
This question is asked to determine where the backups are stored. |
| 18 |
How often is backup restoration tested? |
This question is asked to determine and assess the internal controls of the compacting tribe to ensure that fiduciary trust records are preserved and protected, as required by the funding agreement, in regards to IT by ensuring that backup restoration is tested on a regular basis. |
| 20 |
Does the system use any wireless technology (WiFi or Bluetooth)? |
This question is asked to determine and assess whether the compacting tribe uses wireless technology and if so, to ensure that proper internal controls are in place to preserve and protect fiduciary trust records, as required by the funding agreement. |
| 20a |
If yes, are there policies and procedures covering wireless security? Please upload the wireless security procedures. |
This question is asked to determine and assess whether the compacting tribe uses wireless technology and if so, to ensure that proper internal controls are in place to preserve and protect fiduciary trust records, as required by the funding agreement. |
| 20c |
If wireless is used, what security configuration guides are followed? |
This question is asked to determine and assess whether the compacting tribe uses wireless technology and if so, to ensure that proper internal controls are in place to preserve and protect fiduciary trust records, as required by the funding agreement. |