Citizen Portal
Sign In

TABC auditors present restricted cybersecurity report; commission approves FY2026 internal audit plan

5065571 ยท June 24, 2025

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

External auditors briefed commissioners on a confidential cybersecurity audit and penetration test; the commission voted to approve the agency's FY2026 internal audit plan.

Liz Myers of McConnell Jones, the commission's external/internal auditors, told the Texas Alcoholic Beverage Commission on June 24 that a cybersecurity audit and an associated penetration test identified areas for improvement and that both reports are restricted under Texas Government Code Sec. 552.139 because they could disclose sensitive security information. Myers recommended targeted follow-up work and presented a proposed FY2026 internal audit plan that would include audits of warehouse operations and fleet management plus an advisory on staffing.

The commission voted to approve the FY2026 internal audit plan as presented. Commissioner Scott Adkins moved to approve the plan; Commissioner Marino seconded the motion. The chair called the vote and the motion was recorded as approved.

Why it matters: the cybersecurity findings, while not public, inform the agency's risk priorities and the items the auditors will follow up on. The approved FY2026 audit plan directs resources to operations and staffing issues that agency leaders said are important for continuity and service delivery.

Myers said the cybersecurity audit assessed controls against the NIST Cybersecurity Framework, the Texas Security Control Standards v2.1 and the Criminal Justice Information Services security policy. The engagement scope covered network devices, servers, endpoints and applications for the period Sept. 1, 2023, through Jan. 31, 2025. She told commissioners the audit rated inherent cyber risk as high and residual risk as medium because of evolving threats, human error and third-party risk.

Myers described the penetration testing as "ethical hacking" performed against a selection of TABC network devices to provide evidence of control effectiveness and of exploitability where weaknesses exist. Because the reports could expose vulnerabilities, Myers said they are exempt from public disclosure under Texas Government Code Sec. 552.139.

On open items from prior audits, Myers said TABC has made progress on many findings. She flagged several AIMS-related issues (audit trail, proxy functionality, search function and defect backlog) that remain partially addressed and noted target completion dates the agency is tracking with its vendor.

The approved FY2026 internal audit plan allocates audit resources to warehouse and fleet controls, cycle counts and physical inventory processes, fleet management, system utilization and reconciliations; it also adds an advisory on staffing due to retirement and retention concerns. Commissioners recorded the motion as approved by voice vote.

The agency's FY2025 annual internal audit report was presented in draft and will be updated to reflect the FY2026 plan; the report will be filed as required by the Texas Internal Auditing Act.

No additional formal actions were taken in open session related to the confidential cybersecurity reports.

Ending: Commissioners asked staff to continue working with auditors and vendors to address AIMS defects and to keep the commission informed as remediation steps are scheduled and completed.