About IT Audits

What is a cybersecurity audit?

Cybersecurity audits examine information technology systems used in government operations. They look for weaknesses in that technology and propose solutions to help strengthen those systems. Cybersecurity audits are a type of performance audit and are provided at no cost to state and local governments, thanks to 2005's voter-approved Initiative 900.

Cybersecurity audits protect the people of Washington

People depend on Washington's state and local governments for many different services – such as public safety, tax collection, social services, and transportation systems. Governments depend on technology to provide these services. The security of these systems and related data are vital to public confidence, the continuity of government operations, and the safety and well-being of the state and its residents. Across the country and throughout the world, that technology is increasingly under attack, leaving people vulnerable. Those attacks add up, costing taxpayers money and eroding trust in institutions.

Read this special report to learn our cybersecurity work in 2022.

Read this report to learn about our cybersecurity work in 2020 and 2021.

How cybersecurity audits work

The State Auditor's Office (SAO) has worked with state and local governments to improve IT security for more than a decade. In recent years, we've increased cybersecurity assistance and training because of the ever-increasing danger of cyber technology being attacked.

We coordinate IT security work with both the Office of CyberSecurity (OCS) at Washington Technology Solutions (WaTech) and the Washington State Military Department. By coordinating, we're able to reduce the impact of testing on agency operations, and ensure our work complements that of OCS and the Military Department to further strengthen cybersecurity throughout Washington. Audits can include:

  • Penetration testing: Real-time security assessments of applications, systems and networks. Our auditors identify and assess risks and determine if they could be exploited by bad actors. We work collaboratively with governments to identify the critical applications for testing.
  • IT security controls: A review of policies, procedures and technical implementation compared to leading practices and required state standards.

Because of the sensitive nature of cybersecurity audits – and to avoid helping bad actors exploit any potential vulnerabilities before they're fixed – the final public reports contain little explicit information. However, the governing bodies of governments that receive a cybersecurity audit receive a detailed report to allow quick and thorough remediation of issues.

Additional services we offer

OCIO – IT security standards audits

The Office of the Chief Information Officer (OCIO) requires state agencies to have an independent audit performed once every three years to assess compliance with OCIO IT security standards. Our office has developed agreed-upon procedures to use for these audits. The audit includes reviewing policies, procedures and the implementation of controls required by OCIO Standard 141.10. At the conclusion of the engagement, our Office provides the agency with the results of our audit and issues a report to be filed with the OCIO.

Computer forensics

SAO has staff trained in Digital Forensics and our office can be contracted to conduct or support these investigations. A sample of the digital forensics services we can provide include:

  • Bit stream image of the device.
  • Review of existing data on the device.
  • Analysis of internet activity.
  • Review of deleted items when recoverable.
  • Review of event files to reconstruct events on a machine.

About the auditors

Our team of IT auditors and security specialists combine traditional auditing experience with deep technical expertise. The members of our cybersecurity audit team hold a variety of technical and audit certifications, including:

  • Certified Internal Auditor (CIA)
  • Certified Information Systems Auditor (CISA)
  • GIAC Security Essentials (GSEC)
  • GIAC Information Security Fundamentals (GISF)
  • GIAC Critical Controls Certification (GCCC)
  • Certified Fraud Examiner (CFE)
  • Certified Information Systems Security Professional (CISSP)
  • Microsoft Certified Systems Engineer (MCSE)
  • Certified Ethical Hacker (CEH)
  • Cisco Certified Network Associate (CCNA)
  • Security +
  • Network +

For more information about these audits or to request an audit for your state or local government, email SAOITAudit@sao.wa.gov.