Legislative audit committee releases public cybersecurity audit of OIT, finds documentation gaps and partial implementation

The Legislative Audit Committee on January 15 released a public audit of the Governor’s Office of Information Technology (OIT) that found gaps in governance, documentation and training across the state’s information‑technology program.

The Office of the State Auditor (OSA) told the committee the follow‑up audit identified 12 findings and 85 recommendations related to cybersecurity resilience. OSA said OIT agreed with 18 recommendations, partially agreed with 30 and disagreed with 37. "We have to verify it with supporting evidence and documentation," OSA Chief IT Auditor Matt Devlin said during the presentation.

OIT Executive Director David Edinger acknowledged the agency fell short of expectations in documenting its remediation work. He told the committee OIT mobilized "hundreds of employees and thousands of work hours," but that the agency's submissions lacked the evidence OSA required to confirm full implementation. "We missed the ball on that documentation piece," Edinger said.

OSA recounted that the original 2023 resiliency audit produced 77 recommendations. In OSA's 2024 follow‑up it found 71 of those recommendations remained open; the 2025 follow‑up audit assessed…