Skip to main content Skip to office menu Skip to footer
3 golden objects Minnesota Legislature

Office of the Legislative Auditor - Financial Audit Division

Report Summary

Minnesota State Lottery

Performance Audit

Financial Audit Division November 2024

Conclusions

The Minnesota State Lottery (Lottery) generally did not have adequate internal controls to ensure compliance with significant legal requirements and industry standards we tested. We identified a number of internal control weaknesses related to retailers, scratch games, physical security, system access management, vulnerability and configuration management, and incident response and disaster recovery.

The Lottery generally complied with the significant legal requirements we tested, but there were some specific instances of noncompliance related to background checks for retailers, retailers continuing to sell lottery tickets with expired contracts, reimbursement for lost or stolen scratch game tickets, and system access management.

The list of findings below and the full report provide more information about these concerns.

Findings and Recommendations

Finding 1

    Since early 2023, the Minnesota State Lottery has not verified that retailers have not been convicted of disqualifying crimes. (p. 19)

    Recommendation

    The Minnesota State Lottery should verify that retailers have not been convicted of disqualifying crimes.

Finding 2

    The Minnesota State Lottery permitted retailers with expired contracts to continue selling lottery tickets, in violation of requirements in state law. (p. 23)

    Recommendations

  • The Minnesota State Lottery should not permit retailers with expired contracts to sell lottery tickets.
  • The Minnesota State Lottery should implement controls to ensure retailer contracts are renewed prior to their expiration date.

Finding 3

    The Minnesota State Lottery did not comply with Minnesota rules when it declined to charge retailers for lost or stolen scratch game tickets. (p. 27)

    Recommendation

    The Minnesota State Lottery should comply with Minnesota rules and charge retailers for lost or stolen scratch game tickets.

Finding 4

    The Minnesota State Lottery did not always audit and review unauthorized access and access attempts in accordance with its policy. (p. 30)

    Recommendations

  • The Minnesota State Lottery should develop and document its procedures for auditing and responding to physical security events.
  • The Minnesota State Lottery’s security director should oversee regular audits of physical security events, as required by policy.

Finding 5

    Minnesota State Lottery third-party security guards did not follow documented procedures to record the issuance of a temporary security guard badge. (p. 31)

    Recommendation

    The Minnesota State Lottery should ensure that its third-party security guards adhere to the Lottery’s security policies and procedures for temporary badges.

Finding 6

    Prior Audit Finding Partially Resolved. The Minnesota State Lottery has not performed an annual review of all access granted to employees, as required by policy. (p. 37)

    Recommendation

    The Minnesota State Lottery should designate a director to lead an annual review of access assigned to all users—including access to each of the Lottery’s systems, and device, service, and system accounts.

Finding 7

    The Minnesota State Lottery did not have adequate separation of duties among key information technology administrators. (p. 38)

    Recommendation

    The Minnesota State Lottery should ensure separation of duties among its information technology staff to reduce its risk.

Finding 8

    The Minnesota State Lottery’s implemented password requirements do not comply with its policy. (p. 39)

    Recommendations

  • The Minnesota State Lottery should implement password requirements according to its policies.
  • The Minnesota State Lottery should ensure that password policies are properly enforced for all user accounts, as defined by its policy.

Finding 9

    The Minnesota State Lottery’s vulnerability and configuration management program does not meet best practices. (p. 40)

    Recommendations

  • The Minnesota State Lottery should develop procedures to consistently log, track, and resolve vulnerabilities based on severity.
  • The Minnesota State Lottery should develop vulnerability metric reports for management, and report progress against key performance indicators.
  • The Minnesota State Lottery should implement configuration compliance scanning against standardized configuration baselines.

Finding 10

    Prior Audit Finding Partially Resolved. The Minnesota State Lottery has not adequately documented, and has not tested or trained staff on, its procedures to respond to a significant incident. (p. 42)

    Recommendations

  • The Minnesota State Lottery should develop incident response procedures based on an incident’s scope, likely impact, time-critical nature, and resource availability.
  • The Minnesota State Lottery should ensure that formal post-incident reviews are documented and occur with stakeholders from throughout the agency.
  • The Minnesota State Lottery should perform regular testing and training on its incident response and disaster recovery plans and procedures.
  • The Minnesota State Lottery should ensure its third-party system providers are included in disaster recovery planning, testing, and training.

Finding 11

    In their survey responses, many Minnesota State Lottery employees indicated concerns about the Lottery’s workplace culture. (p. 45)

    Recommendation

    Lottery executive leadership should evaluate agency practices and make changes to promote a productive environment.

More Information

Office of the Legislative Auditor, Room 140, 658 Cedar St., St. Paul, MN 55155 : legislative.auditor@state.mn.us or 651‑296‑4708