Legislative audit panel hears OIT revise audit responses, seeks clearer remediation accountability
March 25, 2026 | 2026 Legislature CO, Colorado
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
The Legislative Audit Committee continued its review of the Governor’s Office of Information Technology (OIT) cybersecurity resiliency audit, and OIT told legislators it has revised its positions on most audit recommendations and set timelines to remediate the highest‑priority items.
David Edinger, executive director of the Office of Information Technology, told the committee that OIT re-evaluated responses to 85 recommendations from the follow-up audit to a 2020 review and has changed its posture: “Our current responses are, as Mr. Devlin mentioned, 71 agree, 13 partially agree, and 1 disagree,” he said, describing two internal protocols that previously led OIT to mark more recommendations as “disagree.”
The auditors had documented 12 findings and 85 total recommendations; Edinger said 32 of those recommendations carry implementation dates on or before June 30, 2026, and OIT expects to close most of those during the current Office of the State Auditor review cycle. He told the committee OIT will focus on better documentation of remediation evidence and on breaking recommendations into component parts so partial objections to an element do not result in rejecting an entire recommendation.
Representative Johnson moved that the committee formally recommend the Joint Budget Committee add a footnote to OIT’s primary operating long‑bill line item requiring OIT to submit a certified remediation report to the Legislative Audit Committee and the Joint Technology Committee before spending remaining tech‑debt roll‑forward funds. “This footnote would require OIT to submit a certified remediation report to both the legislative audit committee and JTC before they are allowed to spend any remaining funds from previous tech debt roll forwards,” Representative Johnson said.
Committee members and auditors pressed for clarity on what a “certified remediation report” would include and whether a strict restriction on equipment purchases could unintentionally block necessary system refreshes that help remediate vulnerabilities. Senator Bazely voiced that concern, saying preventing equipment refresh could “prevent there being some fixes to some vulnerabilities.” Auditor staff and members discussed alternatives including a formal letter, requests for information (RFIs), or scheduling a follow‑up meeting to draft consensus language.
Representative Johnson withdrew the motion with a pledge to pursue a letter or other follow‑up before long‑bill consideration and asked for a detailed accounting of prior tech‑debt roll‑forward spending; auditors agreed to draft language and circulate it to committee members for review. The committee also voted to hold a special meeting on Wednesday, April 1 at 8:00 a.m. to continue the discussion.
The committee moved into executive session to consider a confidential portion of the OIT report; after returning to public session, OIT summarized organizational changes intended to accelerate remediation, including reorganizing into two primary functions (Digital & Delivery; Security & Infrastructure) and posting a principal enterprise architect position to address governance gaps.
What happens next: the committee approved minutes and adopted the proposed 2026 interim calendar, auditors will circulate draft follow‑up language for members’ review, and the committee scheduled the special April 1 meeting to press for accountability and to consider any formal action in advance of the long bill.
David Edinger, executive director of the Office of Information Technology, told the committee that OIT re-evaluated responses to 85 recommendations from the follow-up audit to a 2020 review and has changed its posture: “Our current responses are, as Mr. Devlin mentioned, 71 agree, 13 partially agree, and 1 disagree,” he said, describing two internal protocols that previously led OIT to mark more recommendations as “disagree.”
The auditors had documented 12 findings and 85 total recommendations; Edinger said 32 of those recommendations carry implementation dates on or before June 30, 2026, and OIT expects to close most of those during the current Office of the State Auditor review cycle. He told the committee OIT will focus on better documentation of remediation evidence and on breaking recommendations into component parts so partial objections to an element do not result in rejecting an entire recommendation.
Representative Johnson moved that the committee formally recommend the Joint Budget Committee add a footnote to OIT’s primary operating long‑bill line item requiring OIT to submit a certified remediation report to the Legislative Audit Committee and the Joint Technology Committee before spending remaining tech‑debt roll‑forward funds. “This footnote would require OIT to submit a certified remediation report to both the legislative audit committee and JTC before they are allowed to spend any remaining funds from previous tech debt roll forwards,” Representative Johnson said.
Committee members and auditors pressed for clarity on what a “certified remediation report” would include and whether a strict restriction on equipment purchases could unintentionally block necessary system refreshes that help remediate vulnerabilities. Senator Bazely voiced that concern, saying preventing equipment refresh could “prevent there being some fixes to some vulnerabilities.” Auditor staff and members discussed alternatives including a formal letter, requests for information (RFIs), or scheduling a follow‑up meeting to draft consensus language.
Representative Johnson withdrew the motion with a pledge to pursue a letter or other follow‑up before long‑bill consideration and asked for a detailed accounting of prior tech‑debt roll‑forward spending; auditors agreed to draft language and circulate it to committee members for review. The committee also voted to hold a special meeting on Wednesday, April 1 at 8:00 a.m. to continue the discussion.
The committee moved into executive session to consider a confidential portion of the OIT report; after returning to public session, OIT summarized organizational changes intended to accelerate remediation, including reorganizing into two primary functions (Digital & Delivery; Security & Infrastructure) and posting a principal enterprise architect position to address governance gaps.
What happens next: the committee approved minutes and adopted the proposed 2026 interim calendar, auditors will circulate draft follow‑up language for members’ review, and the committee scheduled the special April 1 meeting to press for accountability and to consider any formal action in advance of the long bill.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
