Financial Audit Division | January 2025 |
The Office of the State Auditor generally complied with the significant finance-related legal requirements we tested and generally had adequate internal controls. However, we identified instances of noncompliance and an internal control weakness related to asset management.
The Office of the State Auditor implemented some best practices for information technology security controls. However, we identified several areas in which the office should implement additional controls or strengthen existing controls to better protect its information technology resources.
The Office of the State Auditor did not assign asset numbers to all of its capital asset acquisitions, nor did it record those assets in its capital asset system, as required by its policy. (p. 21)
Recommendations
The Office of the State Auditor did not manage its asset inventory in compliance with state or office policies. (p. 21)
Recommendations
The Office of the State Auditor has not implemented an information security program that aligns with best practices. (p. 28)
Recommendation
The Office of the State Auditor should implement an information security program that aligns with best practices. As part of its implementation, the office should:
The Office of the State Auditor’s inventory of information technology hardware and software did not contain important maintenance and security-related information. (p. 31)
Recommendation
The Office of the State Auditor should maintain an inventory of information technology assets that includes information prescribed by best practices.The Office of the State Auditor has hardware and software that is outdated and no longer supported by its vendors or manufacturers. (p. 32)
Recommendation
The Office of the State Auditor should establish and implement a plan to replace its outdated hardware and software.The Office of the State Auditor did not conduct annual security awareness training for its employees. (p. 32)
Recommendations
The Office of the State Auditor did not always follow best practices when authenticating users that access its information technology assets and software. (p. 33)
Recommendations
The Office of the State Auditor does not have a comprehensive security logging and monitoring program in place to detect and respond to security threats. (p. 36)
Recommendation
The Office of the State Auditor should implement a comprehensive security logging and monitoring program.The Office of the State Auditor does not follow best practices to detect, respond to, and prevent potential threats to its network. (p. 37)
Recommendations