We completed 15 audits on 13 state agencies, 1 school district, and 1 city between CY 2024 and CY 2025. This summary report shows 7 of the 15 entities did not substantially comply with applicable IT security standards and best practices. Entities struggled with properly scanning and patching their computers. Entities also had compliance problems because they did not create, maintain, or test continuity of operations and disaster recovery plans, as well as incident response plans. Other significant issues included poor security awareness training or failed social engineering tests. More than half the entities had significant management process weaknesses, including inadequate asset inventories, contract issues, or lacking a designated information security officer. Additional security weaknesses included inadequate network, boundary, and data protection processes. We also noted some entities did not adequately protect their electronic backup data. Some entities had poor access or environmental controls for their data centers, and a few entities had inadequate account security control. Lastly, we identified significant security issues within entities' specific IT systems. The findings in this report are similar to those in previous summary IT reports. The main reasons for compliance problems across the 15 entities included insufficient top management attention, inadequate resources, and poor contractor administration.