Information Assurance Internal Control Annual Certification

To see the questions from previous years, visit the IA Internal Control Certification Question Archive.

The Office of Internal Controls conducts an annual certification process for select U-M business areas. One of the certification areas is information assurance. Every fiscal year, units are asked to certify their level of compliance with a particular information assurance practice or process. 

Security Unit Liaisons for each certifying unit should work with their unit's key administrative officer to ensure that their unit is prepared to answer the information assurance certification question.

Fiscal Year 2026 Question

To ensure the security of U-M technology in accordance with the IT standard on Endpoint Security Administration (DS-23), units must maintain an up-to-date inventory of university-owned systems.

My unit has established and maintains an up-to-date inventory of university-owned systems in my unit.

Responses to FY26 Question

All units should be able to reply "Yes" or "Partially" to the question.

  • Yes. My unit has established and maintains an up-to-date inventory of university-owned systems in my unit.
  • Partially. My unit is in the process of establishing an inventory of university-owned systems in my unit, and has plans for keeping it up-to-date.
  • No. My unit has not established an inventory of university-owned systems in my unit.

Guidance for Responding to the FY26 Question

University-owned systems are defined as all endpoints and devices, servers, and institutional IT resources that are funded, owned, licensed by, or under the direct control of the university, whether locally or with a cloud provider. This includes research devices purchased with U-M general, research, or other funds, including faculty start-up funds and grant funding.

The university does not provide an enterprise inventory management solution, but offers systems with IT asset management capabilities, like TeamDynamix. Units are expected to develop and maintain their own inventories of university-owned systems using a solution of their choice. ITS Information Assurance is available to provide guidance and help units with initial inventory based on information in Active Directory.

The recommended fields for a university-owned system inventory are:

  • Serial Number
  • Asset Tag
  • Device Type
  • Device User Uniqname
  • Unit/Department
  • Device Location
  • Warranty Information
  • Falcon Sensor Status

Units may choose to maintain additional device information to support unit-specific processes.

Supporting Resources

Endpoint Security Administration (DS-23)

Endpoint Protection Guidance