The Colorado Legislative Audit Committee received a follow-up IT performance audit of the Governor's Office of Information Technology (OIT) on cybersecurity resilience, revealing that OIT had failed to fully implement the vast majority of 71 open recommendations from a May 2023 audit — producing 12 new findings and 85 new recommendations — while OIT disagreed outright with 37 of those 85 recommendations, prompting sharp questioning from committee members about accountability, documentation failures, and the adequacy of OIT's cybersecurity posture. The committee released the public audit report by voice vote and then voted to go into executive session to hear the confidential portion of the audit, with the chair confirming that two-thirds of the committee membership was present and stating the ayes had it; no legislative action was taken on the audit recommendations, and no outcome of the executive session could be determined as the transcript ends when public recording stopped.
+ 1 more action
Matt Devlin (OSA) stated that OIT's responses 'seem to align with our recommendations even though they're disagreeing,' making it 'really unclear... in what regard OIT is disagreeing.' David Ettinger agreed in his opening with the documentation/communication framing, yet the audit shows OIT disagreed outright with 37 of 85 recommendations. The Chair directly raised this tension, stating: 'your statement is that you agree, yet in looking at the audit results, there's a lot of partially agrees and several disagrees with the recommendations. So I'm trying to reconcile that.'
+ 4 more controversies
“I'm much more confident in our cybersecurity posture itself than I am in our ability to implement cybersecurity audits. But you would never know that from the audit results.”
+ 4 more quotes
Subscribe to see all key actions, controversies, quotes, and what's next.
Sign in to subscribeGood early morning. The Legislative Audit Committee will come to order. Ms. Watson, will you please call the roll? Senators and Representatives Brooks. Present. Bacon, Johnson. Here. Helton. Here. Wiseman. Good morning. Wilford. Present, Madam Vice Chair. Present, Madam Chair. Present, Madam Chair. You have a quorum. Thank you, Ms. Watson. Members, may I have a motion to release the Governor's Office of Information Technology Cybersecurity Resilience IT Performance Audit Public Report dated January 2026. So. Moved. Second. Moved by the Vice Chair, Seconded by Senator Pelton. Are any opposed? The audit is now released. Mr. Devlin? Yes. Thank you, Madam Chair. Pull this a little closer and. Good morning, members of the committee. My name is Matt Devlin. I'm the Chief IT Auditor at the osa. Here with me from our team is Cindy Radke, our IT Audit Manager. This morning, as mentioned, we're going to walk you through the results of our most recent IT audit of cybersecurity resiliency that we conducted at oit. This audit was a discretionary audit that we conducted based on risk and it was a follow up audit of prior IT audit that we conducted back in 2023 at OIT. In summary, our…
Subscribe to unlock the full transcript, summary, and search across all Colorado committee hearings.
Sign in to subscribe