§ 18C-122. Independent audits.
§ 18C‑122. Independentaudits.
(a) Biennially, at thebeginning of the calendar year, the Commission shall engage an independent firmexperienced in security procedures, including computer security and systemssecurity, to conduct a comprehensive study and evaluation of all aspects ofsecurity in the operation of the Commission and of the Lottery. At a minimum,such a security assessment should include a review of network vulnerability,application vulnerability, application code review, wireless security, securitypolicy and processes, security/privacy program management, technologyinfrastructure and security controls, security organization and governance, andoperational effectiveness.
(b) The portion of thesecurity audit report containing the overall evaluation of the Commission andof lottery games in terms of each aspect of security shall be presented to theCommission, to the Governor, and to the General Assembly.
(c) The portion of thesecurity audit report containing specific recommendations shall beconfidential, shall be presented only to the Director and to the Commission,and shall be exempt from Chapter 132 of the General Statutes. The Commissionmay hear the report of such an audit, discuss, and take action on anyrecommendations to address that audit under G.S. 143‑318.11(a)(1).
(d) Biennially at theend of the fiscal year, in addition to the audits required by G.S. 18C‑116and by subsection (a) of this section, beginning in 2010, the Commission shallengage an independent auditing firm that has experience in evaluating theoperation of lotteries to perform an audit of the Lottery. The results of thisaudit shall be presented to the Commission, to the Governor, and to the GeneralAssembly. (2005‑344,s. 1; 2005‑276, s. 31.1(i); 2009‑357, s. 15.)