Skip to main content Skip to office menu Skip to footer
3 golden objects Minnesota Legislature

Office of the Legislative Auditor - Financial Audit Division

Report Summary
Small Agencies' Information Security Controls
Information Technology Audit


Financial Audit Division Report 09-16 Released April 9, 2009


Small agencies in Minnesota state government generally do not have adequate security controls over their computer systems, which creates an unacceptable risk of unauthorized access to not public data and disruption to state functions. Effectively resolving these weaknesses is unlikely without the ongoing oversight and support of the Office of Enterprise Technology. This report contains six findings concerning control weaknesses in small agencies’ computer systems.

Audit Objective and Scope

The primary objective of our audit was to answer the following question:

  • Do small agencies have adequate controls to protect the integrity, confidentiality, and availability of their computer systems and data?

To answer this question, we assessed security controls at 12 small state agencies as of January 2009.


We identified 45 small state agencies, which we defined as any office, bureau, board, commission, or agency with 50 or fewer employees. All of these agencies perform some service or function specified in state law. These agencies need to have secure computer systems to protect the state from financial losses and unauthorized disclosure of not public data; they need to have effective internal controls to address their information technology risks.

More Information

Office of the Legislative Auditor, Room 140, 658 Cedar St., St. Paul, MN 55155 : or 651‑296‑4708