Skip to main content Skip to office menu Skip to footer
3 golden objects Minnesota Legislature

Office of the Legislative Auditor - Financial Audit Division

Report Summary

Office of the State Auditor

Performance Audit

Financial Audit Division January 2025

Conclusions

The Office of the State Auditor generally complied with the significant finance-related legal requirements we tested and generally had adequate internal controls. However, we identified instances of noncompliance and an internal control weakness related to asset management.

The Office of the State Auditor implemented some best practices for information technology security controls. However, we identified several areas in which the office should implement additional controls or strengthen existing controls to better protect its information technology resources.

Findings and Recommendations

Finding 1

    The Office of the State Auditor did not assign asset numbers to all of its capital asset acquisitions, nor did it record those assets in its capital asset system, as required by its policy. (p. 21)

    Recommendations

  • The Office of the State Auditor should assign asset numbers to all capital asset acquisitions and record those assets in its capital asset system.
  • The Office of the State Auditor should strengthen internal controls over assets to ensure it assigns asset numbers to all of its capital asset acquisitions and records all capital assets in its capital asset system.

Finding 2

    The Office of the State Auditor did not manage its asset inventory in compliance with state or office policies. (p. 21)

    Recommendations

  • The Office of the State Auditor should conduct and document a full physical inventory of assets annually, to comply with both state and office policies.
  • The Office of the State Auditor should update its capital asset system to reflect the results of its annual inventories and investigate discrepancies between its physical inventory and capital asset system.

Finding 3

    The Office of the State Auditor has not implemented an information security program that aligns with best practices. (p. 28)

    Recommendation

    The Office of the State Auditor should implement an information security program that aligns with best practices. As part of its implementation, the office should:

  • Establish expectations and requirements for its information technology operations and security within office policies, standards, and procedures.
  • Conduct security control assessments of its information assets.
  • Develop and implement a plan to regularly track information technology vulnerabilities.

Finding 4

    The Office of the State Auditor’s inventory of information technology hardware and software did not contain important maintenance and security-related information. (p. 31)

    Recommendation

    The Office of the State Auditor should maintain an inventory of information technology assets that includes information prescribed by best practices.

Finding 5

    The Office of the State Auditor has hardware and software that is outdated and no longer supported by its vendors or manufacturers. (p. 32)

    Recommendation

    The Office of the State Auditor should establish and implement a plan to replace its outdated hardware and software.

Finding 6

    The Office of the State Auditor did not conduct annual security awareness training for its employees. (p. 32)

    Recommendations

  • The Office of the State Auditor should establish requirements for its information security awareness program.
  • The Office of the State Auditor should provide security awareness training to its employees on an annual basis.

Finding 7

    The Office of the State Auditor did not always follow best practices when authenticating users that access its information technology assets and software. (p. 33)

    Recommendations

  • The Office of the State Auditor should require more complex passwords for accounts with broad access.
  • The Office of the State Auditor should [REDACTED].

Finding 8

    The Office of the State Auditor does not have a comprehensive security logging and monitoring program in place to detect and respond to security threats. (p. 36)

    Recommendation

    The Office of the State Auditor should implement a comprehensive security logging and monitoring program.

Finding 9

    The Office of the State Auditor does not follow best practices to detect, respond to, and prevent potential threats to its network. (p. 37)

    Recommendations

  • The Office of the State Auditor should maintain and update network documentation annually, or when significant changes occur. up-to-date.
  • The Office of the State Auditor should ensure its network infrastructure is kept
  • The Office of the State Auditor should implement necessary network intrusion detection and prevention capabilities.

More Information

Office of the Legislative Auditor, Room 140, 658 Cedar St., St. Paul, MN 55155 : legislative.auditor@state.mn.us or 651‑296‑4708