Auditor General Identifies “Serious Flaws” in Navajo County Safeguards | Latest news

HOLBROOK – Lax credit card monitoring.

A minimum of $ 41,000 for gasoline purchases with no vehicle history showing the business purpose of the purchase and travel.

And a computer system that is susceptible to security breaches that could compromise the disclosure of confidential information and access to the system.

The Arizona Auditor General definitely had some specific suggestions about the county’s financial and IT oversight procedures.

The just-released Internal Control and Compliance report for the fiscal year ended June 30, 2020 suggests the county is facing additional issues beyond the previously disclosed and now repaid $ 5,579 of allegedly unreasonable credit card fees from former Health Director Jeff Lee go beyond facing several fraud fees.

The audit report received from the Independent points to additional problems both with the record of gas purchases and, more importantly, a number of problems with the security of the county’s computer systems.

However, the county has already made policy changes to respond to recommendations on monitoring credit card purchases, gas purchases, and IT security.

Bryan Layton, assistant district manager, said, “It’s important to note that card mitigation and travel policy changes have been implemented to improve internal controls.”

In addition, it found that the audit report revealed a lack of documentation on the gas expenditure, but did not find a case where the expenditure was inadequate.

Layton said employees traveling to Phoenix on business or MPs traveling to remote areas of the Navajo Reservation must purchase gas along the way. “In both cases it is necessary to buy fuel remotely – and our policy rightly allows it. It is important to note that they have not identified a single abuse case, but are focused on the controls necessary to detect and prevent abuse. “

Finally, he said the county is constantly working to improve computer security. “This will continue to be a very high priority for the county and we will continue to work with the Arizona Counties Insurance Pool and the professional experts they have brought on board to consistently work to reduce our risk.”

The vulnerability of computer systems is a major problem facing government agencies across the state. An increasing number of ransomware attacks have cost government agencies millions after hackers infiltrated computer networks and locked out legitimate users. Many agencies have either paid ransom to restore access and files, or tried to repair the damage and restore the files. In addition, concerns were raised in the 2020 election that hackers could break into computer networks in the county’s electoral department and potentially alter election results.

In response to the audit, the county submitted a compliance plan to address any issues raised by the auditors. The report found that the auditors were not providing an opinion on the appropriateness of the county’s response at this point.

“The sole purpose of this report is to describe the scope of our internal control and compliance tests and the results of these tests, and not to comment on the effectiveness of the county’s internal control or compliance. The county’s responses and corrective action plan were not subjected to the review procedures used to review the base financial statements and accordingly we are not providing an opinion. “

The Navajo County Board of Supervisors passed new guidelines at its most recent meeting that require receipts and pre-approval for travel and county credit card purchases, largely in response to years of undocumented spending by Lee and subsequent scrutiny.

Layton said the Arizona counties have worked together on IT security for years, and that effort is now even more intense. The ongoing IT security meetings are nothing new, and the Arizona counties are also working and in constant communication with the FBI and other agencies to mitigate threats, Layton said.

The county agreed with the various findings, saying that corrective action was already under way. For starters, the county withheld money for Lee’s undocumented purchases when he was fired and paid for his idle vacation time in December.

The county also said it now needs vehicle logs, receipts, travel documents for using the county’s gasoline credit cards or making payments to employees. “We recognize the need to implement a fuel tracking process that is affordable and reasonable in order to better track fuel purchased with county shopping cards. The county council does not believe that there was willful misuse of P-Car fuel purchases in the county or misuse of county funds, with the exception of fuel purchases made by the county health director. “

The district also agreed to the findings on IT security and promised to work on the problem. “Navajo County takes all IT exam results seriously and will endeavor to correct any deficiencies,” stated the county’s response included in the exam results.

The audit results came in part from the disclosure of Lee’s investigation into the use of county credit cards. That investigation actually began with an investigation into Lee’s expenses while working for Coconino County. Navajo County did not discover the alleged mispending itself.

Navajo County has a general fund budget of around $ 48 million but monitors around $ 147 million if you add in all the other special districts and funds for which it manages tax collections and transfers. The county is therefore a major employer in a county of 107,000 people. The county maintains a range of pass-through funds to provide a range of state and federal funds – and is likely to receive an additional $ 22 million in federal grants under the newly-passed Federal American Rescue Act.

At each meeting on the consent calendar, the county approves hundreds of pages of checks, some for $ 1, some for $ 5,000. At the last meeting, the list of checks was 420 pages. An enormous amount of money flows into the county’s accounts every week.

In the audit report, both “major weaknesses” and “significant deficiencies” in some of the district’s procedures were identified. The report found that a “material weakness” “creates a reasonable possibility that a material misrepresentation of the basic financial statements of the district is not prevented or recognized and corrected in good time”.

The report focused on three areas – health director credit card spending, county gas card use, and IT security vulnerabilities. The results in each area include:

The director of the county health department made $ 5,579 purchasing cards in contravention of the county’s paid policies, leading to possible misuse of public funds and possible violation of the Arizona Constitution

District officials found no unreasonable or undocumented spending of $ 5,579, which made up 40% of purchases on the card for the year. The district also initially did not apply for reimbursement when the missing expenses were collected. The missing issues include:

• $ 835 for personal cellular services

• $ 535 for unsupported fuel purchases.

• Missing documentation for US $ 1,268 for meals and US $ 1,742 for hotel stays.

• Lack of approval for $ 629 for room and board that exceeded allowable prices.

• District officials were not reimbursed when an initial audit found lack of evidence. Subsequently, even after the county revoked Lee’s credit card in April 2020, auditors identified additional inappropriate or undocumented spending of $ 3,400. The county eventually recovered the allegedly missing money by withholding $ 3,400 from Lee’s last check.

The county paid $ 41,000 for the purchase of fuel through the employees’ county purchase card, but did not ensure the fuel was used in county vehicles contrary to county guidelines.)

The audit revealed that the district needs to implement better procedures to avoid possible incorrect spending in the future. $ 41,000 worth of county gas card purchases with 1,300 refills by 200 employees. The county did not have sufficient records of the gas purchases, “which increases the county’s risk of misusing public funds and violating the Arizona Constitution.”

The auditor’s report identified a number of deficiencies in the security of computer networks, including the protection of data. Among the results:

• The county has not identified or inventoried any sensitive information.

• The county lacked policies and procedures for sensitive information.

• The district had inadequate control procedures for IT systems and data.

• District proceedings did not consistently prevent unauthorized access

• The systems lacked controls to prevent the use, tampering, corruption or loss of data.

• The systems did not revoke access to the system for laid-off employees.

• The system did not contain sufficient authentication for users.

• The system has not checked the corresponding employee access levels.

• The system did not monitor itself for unauthorized or unintentional configuration changes.

• The system did not monitor usage for users with administrator rights.

• The county did not have a plan to respond to security incidents in the event of a lockdown.

Peter Aleshire covers county government and other issues for the Independent. He is the former editor of the Payson Roundup. Reach out to him at [email protected]

Comments are closed.