Legislative Audit Committee approves letter asking Joint Budget Committee to seek detailed OIT accounting after cybersecurity audit

The Legislative Audit Committee on a voice vote approved a letter asking the Joint Budget Committee to request a detailed accounting from the Office of Information Technology of its FY '22–'25 appropriations and related expenditures following the Governor's Office of Information Technology cybersecurity resilience IT performance audit (January 2026). Auditor Hunter told the committee that OIT had provided an executive summary and a line-item accounting the day before the hearing and that OIT’s submission shows roughly $83 million in related expenditures.

The committee said it wants the JBC to use its RFI process to obtain a full roll-up of spending and supporting explanations rather than rely on a single aggregate figure. "My suggestion would just be to not have reference to any amount, but just to ask for a specific accounting of all funds OIT received '22 through '25," Vice Chair Weisman said. Auditor Hunter agreed to remove a dollar total from the draft and instead ask for the full, itemized accounting and for OIT to report by July 1.

Why it matters: committee members said they need more granular financial detail to assess whether budgeted funds were spent on cybersecurity remediation and technical-debt reductions the audit identified. Representative Bacon urged the committee to include expectations for benchmarks and midyear monitoring so the LAC can track whether OIT meets implementation goals during the next budget cycle.

Auditor Hunter told the committee the auditor's office had asked OIT for a June 30, 2026 implementation-status report; staff will perform verification testing later in the summer and fall. "We've asked for them to provide that, in July," Hunter said, and added the auditor's office planned testing by staff including chief IT auditor Matt Devlin and an IT manager. Devlin told the committee that mapping every financial transaction to specific remediation tasks would require further analysis and crosswalks between spending records and technical recommendations.

Several members debated whether the LAC should request detail about OIT’s revolving cash fund. Representative Titone asked explicitly for a detailed register to understand a major overage in that cash fund; the chair cautioned that a cash-fund audit is not currently part of the cybersecurity audit’s scope and suggested the Joint Technology Committee could pursue cash-fund accounting if appropriate. Vice Chair Weisman noted the state controller can produce a transaction register, but Auditor Hunter said OIT is needed to explain which transactions relate to the cybersecurity and technical-debt work.

The committee decided not to approve a final amended draft at the meeting; Auditor Hunter agreed to edit the letter and circulate it to committee members, who then voted by voice with no recorded opposition. The committee also agreed to place OIT on an August agenda (after the July report) and to revisit implementation progress at a December hearing.

Next steps: Auditor Hunter will revise the draft letter to request an itemized accounting (covering FY '22–'25 and optionally through June 30), ask OIT to report by July 1, and indicate the committee expects OIT to appear at the August LAC meeting and for status discussion in December. The final letter will be circulated to the committee for confirmation.