Case Study: IT Audit of a State of Georgia Government Agency

Background

The Agency is responsible for delivering vital social services across the state, including public housing support, community health outreach, and emergency assistance programs. The agency handles sensitive citizen data and operates multiple digital platforms for service delivery, internal communication, and inter-agency coordination.

Given the increasing dependence on IT infrastructure and the growing cybersecurity threats facing state agencies, the Office of the Auditor General initiated an independent IT audit of the Agency’s systems, policies, and procedures.

Audit Objectives

The primary objectives of the IT audit were to:

  1. Assess IT Governance – Evaluate the alignment of the agency’s IT strategy with its organizational goals.

  2. Evaluate Cybersecurity Controls – Review the agency’s cybersecurity framework, incident response plans, and vulnerability management practices.

  3. Review Data Privacy Compliance – Ensure compliance with federal and state data protection regulations.

  4. Assess Business Continuity and Disaster Recovery (BC/DR) – Determine the agency’s readiness to handle IT disruptions.

  5. Audit Access Controls – Examine user access management and role-based permissions for internal systems.

Scope

The audit covered:

  • IT systems in use as of FY2019

  • Policies and documentation related to IT governance, security, and compliance

  • Cloud-based services and third-party vendors

  • Key applications including the Community Assistance Portal (CAP) and Internal Employee Portal (IEP)

Methodology

  • Interviews with IT management, security officers, and business unit leads

  • Document Review of IT policies, logs, and system diagrams

  • Technical Testing of selected systems for vulnerabilities

  • Sampling of user access logs and account management processes

  • Compliance Check against NIST 800-53, HIPAA (for health-related data), and Georgia’s own cybersecurity standards

Key Findings

Strengths Identified

  • Strong IT Governance: The agency has a clear IT strategy aligned with its mission and receives regular updates from the CIO.

  • Data Encryption: All sensitive data in transit and at rest are encrypted using industry-standard protocols.

  • Regular Training: Cybersecurity awareness training is mandatory and up-to-date for all staff.

Areas for Improvement

  • Inadequate Multi-Factor Authentication (MFA): Only 60% of internal applications are protected by MFA.

  • Vendor Management Gaps: Third-party service providers lack uniform security assessments before onboarding.

  • Backup Frequency: Critical systems are only backed up weekly, posing a risk of data loss.

  • Access Control Inconsistencies: Several former employees retained system access for up to 30 days post-termination.

Recommendations

  1. Expand MFA Coverage – Implement MFA across all internal and external systems within 90 days.

  2. Enhance Vendor Risk Management – Introduce a standardized security assessment checklist for all third-party vendors.

  3. Increase Backup Frequency – Move from weekly to daily backups for mission-critical systems.

  4. Automate User Deprovisioning – Integrate HR and IT systems to trigger immediate access revocation upon employee termination.

Conclusion

The IT audit concluded that the Agency has a generally sound IT framework with strong governance and commitment to cybersecurity. However, critical vulnerabilities in access control and vendor management must be addressed to strengthen the agency’s overall risk posture.