Internal and external audits are an important part of a continuous IT improvement cycle and successfully completing an audit is always a celebrated milestone. During the fiscal year, an ITS project team and many staff members across the organization contributed substantial time and effort to support the North Carolina Office of the State Auditor IT General Controls Audit.
This was the first audit of this kind since ConnectCarolina went live in 2013.
Guiding ITS through this nine-month audit process, as she has for the past nine years, was Mechelle Clayton. Working closely with Clayton was Kim Stahl, IT Policy Facilitator with the Office of the CIO.
“Working with Mechelle on the audit was a real high point of the experience,” Stahl said. “One thing about Mechelle is that she can bring clarity to almost any situation. Mechelle would routinely re-frame what the auditors would ask us to be certain that we understood what they needed. She followed up on everything so that no request slipped through the cracks. Even through the most challenging parts of the audit, her calm professionalism kept the process on track.”
Alumna dedicated to Carolina
Clayton is a Carolina alumna who has worked for ITS all of her 29 years with the University. Her first UNC-Chapel Hill job was Computer Operator, when she was the first and only Service Desk staff person. Nowadays, she manages the University Services portfolio, which includes applications supporting One Card, facilities, financial apps such as P-Card and Customer Billing Management (CBM) and Auxiliary Services.
With professionalism and dedication to the University she loves, Clayton also applies her abilities to fulfill the expectations of auditors at various levels of review. As the point person between the state and UNC ITS systems, her commitment, attention to detail and persistence serves ITS — and the needs of auditors — well.
Because she’s worked at ITS a long time, Clayton knows the history of the applications and remembers why something is done the way it is.
“I grew up loving UNC and it’s very important to me to attempt to make a positive difference for the University with my work,” Clayton said.
Loves ‘getting in the weeds’
While she has the history and experience to understand the 30,000-foot view, she also loves “getting in the weeds.”
For her work on audits, Clayton meets with contacts across campus to ensure that ITS policies are implemented University wide. If an audit results in findings, she brings the issue back to the group to ensure that the loop is closed and the issue is fixed.
“Mechelle is conscientious and proactive in working with each different group that is involved in the audit process, ensuring we understand the process and detail to provide,” said Sharron Bouquin, Auxiliary Applications Manager with ITS Enterprise Applications. “With Mechelle as the ‘intermediary,’ we ensure consistency and meticulous detail is met. Both of which are critical in the audit process.”
Worked on audits since 2009
As part of her work on audits, Clayton writes a quarterly report to the UNC Internal Audit. She’s also responsible for the annual Financial IT General Controls Audit. She’s done these since 2009, when she was responsible for the legacy Finance applications (pre-ConnectCarolina) from 2009 to 2012. There have been zero reported findings for these audits as far back as she can remember.
The state IT General Controls Audit, meanwhile, is based on ITS’ compliance with ISO 27002, which is an information security standard that UNC schools have committed to follow. The 2017-2018 audit resulted in only four findings, which were quickly addressed. The number of findings in the previous ITGC audit, in 2009, exceeded 100.
An audit resulting in only four findings is a testament to Clayton’s leadership and commitment. ITS was able to demonstrate that it has key policies and key systems in place to secure and manage data, and ITS provided evidence that it follows its established policies and processes.
That took a heck of a lot of work. Clayton estimates that during the first three months, this audit took 75 percent of her time. The second three months consumed 50 percent and the last three months, 25 percent.
Prior to the 2016-2017 fiscal year, a project team began gathering information in preparation for the audit. NCOSA auditors were on site from February to May 2017. During that time, the auditors and ITS staff had 62 meetings and 200 requests for information. About 20 people from schools across campus also participated. They covered such topics as access control, contingency planning, security management, configuration management, application security and segregation of duties.
Enables everyone to work their best
“One important thing about having a skilled coordinator like Mechelle is that months later, while we’re working to remediate what the auditors found, we have someone who was in most of the meetings and can answer our questions,” Stahl said. Clayton “heard what they asked and what they said. She didn’t let even the smallest observations pass by without understanding them, following up, asking questions, taking notes. So now, when we need to do the work of implementing changes, we have someone who can give us the detail to interpret what was meant in the report, we go back to Mechelle and she has a firm grasp on it. She has the big picture and she has the small details.”
Clayton “is the keeper of ITS history,” said Anita Collins, Change Management Manager within ITS Enterprise Applications. “Mechelle has a tremendous memory of how we’ve done things in the past, why things were done that way, and who was involved. She’s a great resource for decision making in that way.” Clayton provides the answer and the context for why that’s the answer, Collins added.
“Few people have the range of skills Mechelle Clayton brings to the table, and she always brings them in a helpful way that makes her a pleasure to work with,” Stahl said. “Audits aren’t fun, but Mechelle brings an experienced, goal-oriented efficiency to it that keeps everyone else able to work their best through a difficult process.”