HOLBROOK — Lax credit card supervision.
At least $41,000 in gas purchases that didn’t include a vehicle log showing the business purpose of the purchase and the trip.
And a computer system vulnerable to security breaches that would risk disclosure of confidential information and access to the system.
The Arizona Auditor General definitely had some pointed suggests about the county’s financial and IT oversight procedures.
The just released report on Internal Control and Compliance for the fiscal year ending June 30, 2020 suggests the county has additional problems beyond the previously disclosed and now-repaid $5,579 in allegedly improper credit card charges by former health director Jeff Lee, who now faces multiple fraud charges.
The audit report obtained by the Independent indicates additional issues with both record-keeping for gas purchases and more importantly, a series of problems with the security of the county’s computer systems.
However, the county has already put in place policy changes to respond to the recommendations in oversight of credit card purchases, gas purchases and IT security.
Assistant County Manager Bryan Layton said “it is important to note that purchasing card mitigation measures and Travel policy changes have been implemented to improve internal controls.”
Moreover, he noted that the audit report spotlighted a lack of documentation of spending for gas, but did not find a case in which the spending wasn’t appropriate.
Layton said employees driving to Phoenix on business or deputies traveling to remote areas of the Navajo Reservation do have to buy gas on the road. “It is necessary in both cases to purchase fuel remotely – and our policy rightly allows this. It is important to note that they did not identify a single case of misuse, rather the issue is focused on the controls needed to detect and prevent misuse.”
Finally, he said the county works constantly to improve computer security. “This will remain a very high priority for the county and we will continue to work with the Arizona Counties Insurance Pool and the professional experts they bring on board to consistently work to reduce our risk.”
The vulnerability of computer systems represents a major problem faced by government agencies throughout the state. An increasing number of ransomware attacks have cost government agencies millions after hackers have into computer networks and lock out legitimate users. Many agencies have either paid ransom to restore access and files or trying to repair the damage and recover the files. Moreover, the 2020 election also highlighted concerns that hackers could break into county elections department computer networks and potentially change election results.
In response to the audit, the county submitted a compliance plan to address each issue raised by the auditors. The report noted that a this point the auditors are not expressing an opinion on the adequacy of the county’s response.
“The purpose of this report is solely to describe the scope of our testing of internal control and compliance and the results of that testing and do not provide an opinion on the effectiveness of the county’s internal control or on compliance. The county’s responses and corrective action plan were not subjected to the auditing procedures applied in the audit of the basic financial statements, and accordingly, we express no opinion on them.”
The Navajo County Board of Supervisors at its last meeting adopted new policies requiring receipts and pre-approval for travel and county credit card purchases, mostly in response to years of undocumented spending by Lee and the subsequent audit.
Layton said Arizona counties have been collaborating on IT security for years, and these efforts continue even more intently now. The ongoing meetings on IT security are nothing new and Arizona counties also collaborate with the FBI and other agencies to mitigate threats and are in constant communication, Layton indicated.
The county concurred with the various findings and said corrective actions are already underway. For starters, the county withheld money for Lee’s undocumented purchases when it terminated him in December and paid out his unused vacation time.
The county also indicated it now requires vehicle logs, receipts, a trip documentation for any use of the county gasoline credit cards or payments to employees. “We realize the need to implement a fuel tracking process that is affordable and reasonable to better track fuel purchased with County purchasing cards. County Administration does not believe there was any intentional abuse of County P-Car fuel purchases or any misuse of County funds except for fuel purchases made by the County’s Public Health Director.”
The county also concurred with the findings concerning IT security and promised to work on the problem. “Navajo County takes all IT audit findings seriously and will make efforts to resolve any deficiencies,” said the county’s response included with the audit findings.
The audit findings flowed, in part, from the revelation of the investigation into Lee’s use of county credit cards. That investigation actually started with a probe of Lee’s spending when he worked for Coconino County. Navajo County did not detect the alleged misspending on its own.
Navajo County has a general fund budget of some $48 million, but oversees some $147 million when you add in all the other special districts and funds for which it manages tax collections and transfers. The county’s therefore a major employer in a county of 107,000 people. The county handles a wash of pass-through funding to provide an array of state and federal funding — and will likely receive in influx of another $22-million in federal money as part of the just-adopted federal American Rescue Act.
Every meeting on the consent calendar, the county approves hundreds of pages of checks, some for $1, some for $5,000. At the last meeting, the list of checks ran to 420 pages. So an enormous amount of money sloshes through the county’s accounts every week.
The audit report spotlighted both “material weaknesses” and “significant deficiencies” in some of the county’s procedures. The report noted that a “material weakness” creates “a reasonable possibility that a material misstatement of the county’s basic financial statements will not be prevented or detected and corrected on a timely basis.”
The report focused on three areas — credit card spending by the health director, use of county gas cards and weaknesses in IT security. Findings in each area include:
Credit Card Spending:
County Public Health Department Director made $5,579 in purchasing card purchases that contradicted County policies, which the County paid for, resulting in potential misuse of public monies and possibly violating the Arizona Constitution
County officials failed to detect some $5,579 in improper or undocumented spending that amounted to 40% of the purchases on the card in the year. The county also did not request reimbursement initially when the misspending was raised. The misspending included:
• $835 for personal cellular services
• $535 of unsupported fuel purchases.
• A lack of documentation for $1,268 for meals and $1,742 in hotel stays.
• Lack of approval for $629 in lodging and meals that exceeded allowable rates.
• County officials failed to obtain reimbursement when an initial audit spotlighted the lack of receipts. Even after the county revoked Lee’s credit card in April of 2020, auditors subsequently identified an additional $3,400 in inappropriate or undocumented spending. The county finally recovered all the allegedly misspent money only by withholding $3,400 from Lee’s final check.
The County paid $41,000 for employees’ County purchasing card fuel purchases but did not ensure the fuel was used in County vehicles, contrary to County policies, placing the County at risk of misusing public monies and violating the Arizona Constitution (which forbids making gifts of public funds.)
The audit suggested the county needed to institute better procedures to avoid potential misspending in the future. $41,000 in county gas card purchases involving 1,300 fill-ups by 200 employees. The county did not have enough documentation concerning the gas purchases ”elevating the County’s risk of misusing public monies and violating the Arizona Constitution.”
The auditor report cited a whole series of deficiencies in securing computer networks, including safeguarding data. Among the findings:
• The county did not identify and inventory sensitive information.
• The county lacked policies and procedures concerning sensitive information.
• The county had inadequate control procedures over IT systems and data.
• County procedures did not consistently prevent unauthorized access
• The systems lacked controls to prevent use, manipulation, damage or loss of data.
• The systems did not remove fired employees access to the system.
• The system didn’t include adequate authentication for users.
• The system didn’t review appropriate employee levels of access.
• The system didn’t monitor itself for unauthorized or unintended configuration changes.
• The system didn’t monitor use for users with administrative access privileges.
• The county didn’t have a security incident response plan in case of a breech.