FRANKFORT, Ky. – Kentucky Auditor Adam Edelen has released the first part of the annual statewide audit of the Commonwealth of Kentucky for fiscal year ending June 30, 2012, expressing an unqualified or clean opinion on the state’s financial statements.
Auditor Edelen, however, said he is concerned the audit contains a dozen findings relating to cyber security, including the accidental posting of more than 100 current and former state employees’ social security numbers on a publicly-accessible website for two days in April 2012.
“The president and Homeland Security Secretary have both identified attacks to our government’s computer systems as a serious threat to our security in recent weeks,” Auditor Edelen said. “Agencies across state government possess extremely sensitive information about taxpayers, state employees and industry that needs to be protected from identity thieves and hackers.”
The audit, known as the Statewide Single Audit of Kentucky (SSWAK), found deficiencies related to cyber security such as:
• Potential for unauthorized access by certain state employees to bank account information related to the state’s investment holdings and social security numbers within a motor vehicle dealer listing;
• Potential for unauthorized access by individuals outside state government to certain computers;
• Potential for unauthorized access by certain state employees to other state workers’ health insurance data;
• Excessive access by certain staff to information that could disrupt an agency’s ability to distribute and track grants.
“In the coming months, I intend to more closely monitor the Commonwealth’s cyber security efforts to ensure we are doing everything we can to both protect sensitive information and the systems that we rely upon to serve the needs of the people,” Auditor Edelen said.
The audit contains a total of 55 findings with recommendations related to deficiencies in internal controls over financial reporting. Last year’s audit contained 62 findings with recommendations.
The audit found that advance payments made by the Cabinet for Health and Family Services to certain Medicaid providers was inconsistently determined and reimbursements were not properly tracked.
Five findings at the Department of Juvenile Justice indicate a lack of consistent policy for how all facilities should operate. Auditors found that no system for tracking and processing receipts and expenditures or monitoring financial controls exists at local facilities.
Auditors also identified 14 findings related to the Kentucky Human Resource Information System (KHRIS), which manages payroll, benefits and other personnel administration across state government. Last year’s audit contained 15 findings related to KHRIS system.
Federal law requires an audit of the state’s financial statements, which expresses an opinion on $23.2billion in expenditures. The second part of the audit, to be released in March, focuses on the state’s compliance with federal grant requirements.
A total of 39 auditors, 31 financial auditors and eight IT auditors, reviewed the commonwealth’s financial statements and technology systems. The audit took more than 18,000 hours to complete.