The Legislative Audit Bureau makes 15 recommendations to State of Wisconsin Agencies.

We recommend the Wisconsin Department of Administration report to the Joint Legislative Audit Committee by March 1, 2024, on the status of its efforts to:  

1. complete access reviews; (p. 7)
2. take steps to develop a plan and begin to identify and document exceptions to controls listed in the State of Wisconsin IT Security Policy Handbook and related standards by April 30, 2024; and (p. 7)
3. develop its monitoring plan for reviewing the effectiveness of agency-reported information, and progress made in updating its risk management program. (p. 7)

 We recommend the Wisconsin Department of Administration:

4. record the interest earnings on the CSLFRF funding as general purpose revenues subject to future appropriation; (p. 14)
5. review how it records interest earnings for other federal programs with advanced funding and record the interest earnings as general purpose revenues subject to appropriation when there are no program restrictions; (p. 14)
6. document procedures for evaluating interest earnings on advanced federal funding to ensure it is recorded in compliance with s. 20.906 (1), Wis. Stats.; (p. 14)
7. work with the State Controller’s Office to update the Wisconsin Accounting Manual to provide guidance regarding how to record interest earnings on federal grant programs; and (p. 14)
8. comply with Wisconsin Statutes and enforce its own policies by working with agencies in a timely manner to resolve issues with appropriations to ensure agencies comply with s. 16.52 (5) (b), Wis. Stats., and certify all of their appropriations. (p. 16)

We recommend the Department of Administration, Division of Enterprise Technology:

9. for certain types of accounts, develop access review requirements by December 29, 2023; (p. 22)
10. for certain types of accounts, work with a vendor to obtain an automated tool to perform access review in accordance with the State of Wisconsin IT Security Policy Handbook, including updating access based on the review and retaining documentation of the review and the updates made to access by June 30, 2024; (p. 22)
11. for other types of accounts, perform access reviews in accordance with the State of Wisconsin IT Security Policy Handbook, including by updating access based on the review and retaining documentation of the review and the updates made to access, by December 29, 2023; and (p. 23)
12. develop a plan and begin to identify and document exceptions where agencies are noncompliant or partially compliant with controls listed in the State of Wisconsin IT Security Policy Handbook and related standards by April 30, 2024. (p. 26)

We recommend the Wisconsin Department of Administration, Division of Enterprise Technology comply with its statutory responsibilities to provide oversight and monitoring of executive branch agency adherence to the State’s IT policies by:  

13. developing and communicating to executive branch agencies by May 31, 2024, a monitoring plan to review the effectiveness of all agency-reported compliance with controls in the State of Wisconsin IT Security Policy Handbook and related standards; and (p. 30)
14. updating its risk management program by December 29, 2023, including by considering the risks related to approved policy exceptions and remediating known vulnerabilities. (p. 30)

We recommend the Wisconsin Department of Health Services:  

15. develop enhanced procedures to evaluate and research the proper accounting for new activities that may require adjustments for financial reporting purposes. (p. 8)