Audit Timeline

July 15-September 5th, 2025

Kick-off Session & New Dashboard User Report

July 15 2025 at 2 pm ET  This session is open to Commissioners, DCAs and Compact Staff and will cover the new dashboard user report as well as instructions for completing the audit requirements.

Recording:  

New audit report for managing dashboard users:

Access Report 

User Audit Instructions & Submission Form

Click to download the Audit Checklist

FY26 ICOTS & Dashboard User Audit 

FAQ's

Q:  How often does the dashboard report data get updated?

A:  Dashboard data is updated daily, but it only shows complete information from 2 days ago or earlier. Data from the past 24 hours may be incomplete.

Q:  Why are individuals listed on the Dashboard User Report if they were never given dashboard access?  How have users been managed?

A:  When reports were migrated in Fall 2024, users were imported based on the ICAOS directory at that time. This audit helps identify and remove any unintended users, as the management report wasn’t available until July 2025. Usage details are available if access concerns arise. Currently, access changes (except for Commissioners and DCAs, who receive automatic access) are handled manually via the ICAOS support site.  States request access and removal of access when an individual leaves his or her role and no longer needs access.

Audit Details & Summary

The Compliance and Executive Committees have approved conducting an ICOTS User Audit for FY26. As part of this upcoming audit, we will review user account management practices related to ICOTS and dashboard reports. The audit will focus on the following areas to ensure compliance with best practices, data privacy standards, and appropriate user access protocols.

ICOTS User Management

User Account Activity

To ensure compliance with user account management expectations, states are expected to review the ICOTS User List dashboard report, which provides a detailed overview of user account activity. This report includes:

1. The total number of active user accounts;
2. The number of inactive accounts that still have assigned roles;
3. The number of inactive accounts with no login activity for more than 90 days and more than one year; and,
4. Any active accounts that show no login activity. 

This data will help states evaluate current user access and make any necessary corrections to ensure proper account maintenance and system security.

User Access Policies & Procedures

States will be asked to provide documentation of their internal policies and procedures for assigning and managing ICOTS user access levels. This should include an excerpt addressing user account maintenance and audit responsibilities, as well as an explanation of how access levels are determined, monitored, and adjusted over time.

Self-Auditing & Training Procedures

States will be asked to document the self-auditing and user account management practices currently in place, including the frequency of internal review or account clean-up. Additionally, states should provide an overview of ICOTS training protocols, detailing:

1. Role-specific training related to system access and proper use;
2. The timing of training (e.g., prior to system access or recurring requirements); and,
3. Whether ongoing training is required to maintain access.

Dashboard User Management

Dashboard Access Review:  Using a newly developed report to manage the users accessing dashboard reports, states will be asked to evaluate the appropriateness of each user’s access and ensure proper account maintenance.