Citizen Portal
Sign In

RSM briefed audit committee: penetration testing near complete; contract-compliance fieldwork underway

Clay County Internal Audit Committee ยท December 18, 2025

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

RSM told Clay County's audit committee that internal and external penetration testing is in reporting and contract-compliance testing (five high-risk contracts sampled) is in fieldwork; full cyber reports will be handled as confidential material per statutory guidance.

An RSM representative updated the Clay County Internal Audit Committee on Nov. 20, saying the firm had completed internal and external penetration testing and was in the reporting and QA/QC phase. The representative said the full cyber report is confidential and that any presentation of technical findings to the committee or board would likely occur in closed session and under controlled distribution.

The RSM representative described the cyber testing as two components: external penetration testing (attempts by white-hat testers to compromise the district environment from outside) and internal testing (assessing lateral movement once an actor has access). If vulnerabilities are found, RSM said, those are discussed with management and remediation recommendations are offered. On the confidentiality process, the representative said the firm typically provides a letter referencing sunshine-law statutes and will work with board counsel and the board liaison to determine whether and how to present findings to the committee.

On contract compliance, RSM said it sampled five contracts across departments, focusing on inherently high-risk vendors and provisions; the firm is in fieldwork and will review provisions, vendor deliverables and invoice compliance. RSM said it will hold exit meetings with departments, obtain management responses and vet draft reports with the superintendent and cabinet before presenting a final report to the audit committee.

Timing: RSM estimated the cyber work would be substantially complete by Christmas, with reporting and committee-level discussion possible in February or March depending on the committee's schedule; contract compliance testing was active and expected to move to reporting after fieldwork is complete. The representative noted that some materials would remain confidential; hard-copy reports would be numbered and collected when distributed under closed-session rules.

During questions, a committee member asked whether penetration testers are direct employees; the RSM representative said they are firm employees and that the firm has dedicated cyber teams for government clients.

Provenance: RSM's update begins at SEG 684 ("update from RSM on cybersecurity and contract review") and continues through SEG 1015 (end of RSM questions).