State government IT security audits: Benefits, challenges and considerations of consolidated IT security organizations

In today’s digital landscape, public sector organizations face increasing pressure to secure their information systems, protect sensitive data and ensure continuity of services. As cyber threats grow in complexity and frequency, many states have turned to consolidated information technology (IT) security models to streamline operations and enhance cybersecurity. One such example is the Virginia Information Technologies Agency (VITA), a centralized IT organization that provides infrastructure, cybersecurity, governance and procurement services to Virginia’s executive branch agencies. 

Whether your organization works with state-mandated agencies like VITA or is considering implementing an IT security audit framework for the first time, this article explores the benefits and challenges of consolidated IT security organizations, the importance of aligning with recognized frameworks, and key questions and steps agencies should consider when evaluating their cybersecurity strategy. 

The case for consolidation: VITA as a model 

VITA exemplifies a consolidated IT security organization. It operates as a broker in a multisupplier model, supporting 65 executive branch agencies across Virginia. By centralizing IT infrastructure and cybersecurity services, VITA delivers cost savings, consistent standards and improved service delivery. Its role spans governance, procurement and infrastructure, helping agencies achieve their missions while maintaining robust cybersecurity. 

This model offers several advantages: 

1. Reduced costs and increased efficiency 

Consolidation minimizes redundant hardware, software licenses and support contracts. Agencies benefit from economies of scale and simplified vendor management, reducing administrative overhead and operational costs. 

2. Enhanced security and compliance 

Centralized organizations like VITA can enforce consistent security protocols, access controls and data protection policies. This uniformity helps agencies meet regulatory requirements and simplifies audits and certifications. 

3. Standardized technology 

A cohesive technology stack improves system compatibility, simplifies integration and streamlines training. Employees across agencies use standardized applications, reducing confusion and improving productivity. 

4. Simplified support and management 

A centralized IT service desk provides a single point of contact for issue resolution. This reduces delays and ensures faster, more effective support. 

5. Strategic focus 

With routine IT tasks handled centrally, individual departments can focus on their core missions. IT resources are freed to pursue strategic initiatives that drive innovation and growth. 

How Baker Tilly can help 

At Baker Tilly, we understand the unique challenges faced by public sector organizations. Our dedicated public sector practice includes over 350 professionals serving more than 4,000 clients across 48 states. We’ve worked with state entities, municipalities, school districts, Tribal governments, universities and more. 

Our services include: 

• Cybersecurity audits: Perform IT general controls (ITGC), application audits and sensitive system assessments. 
• Framework development: Help agencies select and implement cybersecurity frameworks tailored to their needs. 
• Policy and procedure enhancement: Assist in creating or refining documentation to ensure alignment with best practices. 
• Third-party risk management: Support agencies in evaluating and monitoring vendor compliance. 
• Training and advisory: Provide strategic guidance and training to build internal capacity and resilience. 

Whether your agency is centralized like VITA or operates in a decentralized model, Baker Tilly can help you build a secure, compliant and efficient IT environment.