The Legislative Audit Bureau makes 24 recommendations to State of Wisconsin Agencies.

We recommend the Wisconsin Department of Administration report to the Joint Legislative Audit Committee by March 31, 2023, on:  

1. revisions made to its access review process, and plans for completing reviews by June 30, 2023 (p. 7); 
2. revisions made to the information security policy exception process, communications made to agencies regarding the revised process and available training, and steps taken to complete the review of deviations from the State of Wisconsin IT Security Policy Handbook and related standards (p. 7); and
3. its monitoring plan for reviewing the effectiveness of agency-reported information in its dashboard, and progress made in developing plans for performing vulnerability assessments and updating its risk management program (p. 7). 

 We recommend Wisconsin Department of Administration, Division of Enterprise     Technology:

4. develop and complete a process by June 30, 2023, to perform access reviews in accordance with the State of Wisconsin IT Security Policy Handbook, including updating access based on the review and retaining documentation of the review and the updates made to access (p. 26); 
5. complete by January 31, 2023, a review of its existing IT security exception process and make revisions to the process, including developing a procedure for escalating noncompliance with established policies to senior management within the Department of Administration and within the particular executive branch agency (p. 29); 
6. develop an exception process training program and communicate the relevant training program and exception process procedures and responsibilities to its staff and executive branch agency staff by January 31, 2023 (p. 29); and 
7. complete and document its review and assessment of processes and configurations that do not comply with established policies, complete approvals of exceptions when changes to processes cannot be made timely, maintain documentation of discussions and meetings with agency staff as the review and assessment of exceptions are completed, and complete this review and approval of exceptions by March 31, 2023 (p. 29). 

We recommend We recommend the Wisconsin Department of Administration, Division of Enterprise Technology comply with its statutory responsibilities to provide oversight and monitoring of executive branch agency adherence to the State’s IT policies by:

8. using its statutory authority to ensure executive branch agencies conform with the State’s IT policies and standards or obtain an approved exception by March 31, 2023 (p. 33); 
9. developing and communicating to executive branch agencies by March 31, 2023, a monitoring plan to review the effectiveness of agency-reported information in the dashboard, including how the Department of Administration will report results to the agency and expected timelines for agencies to correct the noncompliance with the State’s IT policies and standards or obtain an approved exception (p. 33);
10. establishing detailed plans by June 30, 2023, for how it will perform ongoing vulnerability assessments with the new vulnerability management tool, respond to those assessments, and make changes to further strengthen the State’s IT environment (p. 33); and
11. continuing to update its risk management program including considering the risks related to approved policy exceptions and remediating known vulnerabilities (p. 33).

We recommend the Wisconsin Department of Health Services:  

12. review and update the Medicaid Management Information System cost avoidance rules to properly identify and deny payment for claims that may be covered by third‑party insurers (p. 24); 
13. identify payments made during FY 2021-22 that may have been improper due to inaccurate cost avoidance rules and seek to recover these amounts (p. 24); 
14. return to the federal government recovered payments that may have been improper (p. 24); 
15. perform an assessment and implement additional procedures to review changes to cost avoidance rules in the future (p. 24); 
16. develop and implement additional procedures to evaluate the potential effects of changes in the programs that it administers (p. 35); and
17. use the additional procedures to evaluate changes that may require further consideration and adjustments for financial reporting purposes (p. 35).

We recommend the Wisconsin Board of Commissioners of Public Lands:  

18. complete and document an assessment of its reliance on its custodian bank (p. 37); and 
19. determine and implement internal controls as appropriate to ensure the accuracy of information it receives from the custodian bank (p. 37); or
20. obtain a service organization audit report from its custodian bank, assess and document its review of the effectiveness of the custodian bank’s internal controls as reported in the service organization audit report, and assess and document its review of the service organization audit report to ensure appropriate and sufficient internal controls are present at the Board of Commissioners of Public Lands to complement the internal controls at the custodian bank (p. 37). 

We recommend the University of Wisconsin System Administration improve its oversight of the ShopUW+ application by:  

21. developing a written requirement for University of Wisconsin institutions to periodically review ShopUW+ approval access and communicating this requirement to all University of Wisconsin institutions (p. 40); 
22. developing a procedure to monitor the compliance of all University of Wisconsin institutions with the requirement for periodic review of ShopUW+ approval access (p. 40); 
23. developing a policy to require periodic review of the adequacy of certain cloud-based third party vendors’ internal controls, such as by assigning the responsibility to obtain a service organization audit report and ensuring such reports are reviewed (p. 40); and
24. annually obtaining and reviewing relevant service organization audit reports (p. 40).