September 18, 2020

Contact: Sen. Cowles: (608) 266-0484 / Rep. Kerkman: (888) 529-0061

Audits Assess IT Needs Assessment, Procurement, and Security

MADISON– Today, the nonpartisan Legislative Audit Bureau (LAB) released its audits of information technology (IT) Needs Assessment, Procurement, and Security at the University of Wisconsin (UW) System (report 20-10) and the Department of Administration (DOA) (report 20-11). LAB also released an audit of DOA’s administration of the State’s Master Lease program, through which state agencies may fund their purchases of IT systems (report 20-12). The Board of Regents is statutorily responsible for overseeing IT projects in UW System, and DOA is statutorily responsible for ensuring that executive branch agencies, other than UW System, make effective and efficient use of IT resources. 

LAB found that UW institutions, including UW System Administration, did not consistently comply with various statutes, policies, and best practices. LAB found that UW System Administration did not develop comprehensive IT security policies and procedures and LAB recommends that UW System Administration work with UW institutions to improve IT security. LAB also recommends that the Board of Regents improve its oversight of IT projects, including large, high-risk IT projects. In addition, LAB recommends that UW System Administration work with the Board of Regents to require the Board to approve all IT contracts that are more than $1.0 million, and to establish an IT projects committee of the Board to help oversee IT projects.

At DOA, LAB found that state agencies also did not consistently comply with various statutes, policies, and best practices. LAB recommends that DOA improve its oversight of IT projects, including large, high-risk IT projects. LAB also recommends that DOA help state agencies to develop appropriate policies for contracting with firms that provide cloud computing services, and that DOA work with state agencies to improve IT security. 

“The findings at both DOA and UW related to IT security are very concerning to me. Managing cybersecurity risk should have been acted on through prior audit findings, but we see from this audit report that it was not. In just a few months our lives shifted into a more virtual sphere due to COVID-19. Our state government must scramble to play catch up to revise and develop policies, procedures, and plans that should have already been in place and providing the proper privacy and security procedures and safeguards,” said Senator Robert Cowles (R-Green Bay). 

State agencies apply for master lease funding from DOA, which decides whether to approve their applications. From FY 2014-15 through the first half of FY 2019-20, $142.1 million of the $157.9 million (90 percent) of master lease funding approved by DOA was for 28 IT projects. Projects managed by DOA accounted for 83.3 percent of this amount. LAB identified concerns with DOA’s program policies, consideration of applications for master lease funding, oversight of the program, and statutorily required reporting. LAB recommends that DOA improve its administration of the program.

“In a time when IT is even more critical to the operations of state government, this audit is a deep dive into the responsibilities that DOA and UW need to take seriously,” said Rep. Samantha Kerkman (R-Salem Lakes). “The state not only needs significant improvement in its ability to assess IT needs and procurement, but the security of our government depends on a commitment to the security of IT systems. The security findings cannot be ignored.”

Copies of LAB’s reports (report 20-10, 20-11, and 20-12) may be obtained from its website at or by calling (608) 266-2818. Report concerns related to state government activities, including at the University of Wisconsin System, to LAB by calling the toll-free hotline at 1‑877‑FRAUD‑17.