Financial Audit Division | November 2024 |
The Minnesota State Lottery (Lottery) generally did not have adequate internal controls to ensure compliance with significant legal requirements and industry standards we tested. We identified a number of internal control weaknesses related to retailers, scratch games, physical security, system access management, vulnerability and configuration management, and incident response and disaster recovery.
The Lottery generally complied with the significant legal requirements we tested, but there were some specific instances of noncompliance related to background checks for retailers, retailers continuing to sell lottery tickets with expired contracts, reimbursement for lost or stolen scratch game tickets, and system access management.
The list of findings below and the full report provide more information about these concerns.
Since early 2023, the Minnesota State Lottery has not verified that retailers have not been convicted of disqualifying crimes. (p. 19)
Recommendation
The Minnesota State Lottery should verify that retailers have not been convicted of disqualifying crimes.The Minnesota State Lottery permitted retailers with expired contracts to continue selling lottery tickets, in violation of requirements in state law. (p. 23)
Recommendations
The Minnesota State Lottery did not comply with Minnesota rules when it declined to charge retailers for lost or stolen scratch game tickets. (p. 27)
Recommendation
The Minnesota State Lottery should comply with Minnesota rules and charge retailers for lost or stolen scratch game tickets.The Minnesota State Lottery did not always audit and review unauthorized access and access attempts in accordance with its policy. (p. 30)
Recommendations
Minnesota State Lottery third-party security guards did not follow documented procedures to record the issuance of a temporary security guard badge. (p. 31)
Recommendation
The Minnesota State Lottery should ensure that its third-party security guards adhere to the Lottery’s security policies and procedures for temporary badges.Prior Audit Finding Partially Resolved. The Minnesota State Lottery has not performed an annual review of all access granted to employees, as required by policy. (p. 37)
Recommendation
The Minnesota State Lottery should designate a director to lead an annual review of access assigned to all users—including access to each of the Lottery’s systems, and device, service, and system accounts.The Minnesota State Lottery did not have adequate separation of duties among key information technology administrators. (p. 38)
Recommendation
The Minnesota State Lottery should ensure separation of duties among its information technology staff to reduce its risk.The Minnesota State Lottery’s implemented password requirements do not comply with its policy. (p. 39)
Recommendations
The Minnesota State Lottery’s vulnerability and configuration management program does not meet best practices. (p. 40)
Recommendations
Prior Audit Finding Partially Resolved. The Minnesota State Lottery has not adequately documented, and has not tested or trained staff on, its procedures to respond to a significant incident. (p. 42)
Recommendations
In their survey responses, many Minnesota State Lottery employees indicated concerns about the Lottery’s workplace culture. (p. 45)
Recommendation
Lottery executive leadership should evaluate agency practices and make changes to promote a productive environment.