JEFFERSON CITY — Missouri taxpayer dollars are not as secure as they should be, a state audit has found.
The state’s accounting system, known as Statewide Advantage for Missouri or SAM II, is not adequately secure from access by outsiders and the department in charge does not have a proper plan to resume business in case the system goes down, the audit reports.
“We looked at the disaster planning, the continuity planning, of the SAM II system, then we also looked at security,” Missouri auditor spokesman Jon Halwessaid.
Active IDs of fromer employees creates risk
SAM II keeps track of payments made to and by the state and accounts for payroll of state employees. The system processed about $25 billion in transactions in fiscal year 2003, according to the audit.
The audit found SAM II, which is managed by the Office of Administration, is accessible by former state employees who still have working user IDs.
“IDs that should have been deleted that are still active pose a security problem,” Halwessaid.
Some current users have criminal backgrounds in financial-related fields, the audit reports. Of the more than 7,000 employees with access to the system, 146 had criminal records, 46 of which involved robbery, theft or fraud, the audit states.
“We wanted to determine if there was any risk of people with inappropriate backgrounds having access,” Halwes said.
The key is knowing who is using the program so he or she can be monitored, if necessary, Halwes said. The issue is not necessarily refusing access to those with a criminal record. “If someone has a history, you want to know that,” Halwes said.
Remedy includes background checks
The remedy is already under way, said Ann Hamlin, a spokeswoman for the Office of Administration. Background checks are now required of anyone who can access SAM II and make informational changes to the system, she said.
“Each state agency will be responsible for doing background checks on employees who can enter and retrieve information from the SAM II system,” Hamlin said.
The audit also focused on system recovery, which is the ability to resume business operations in case of a fire or computer crash. The Office of Administration lacks a comprehensive recovery plan, the audit found. The office does not have an offsite facility to continue operations in case of a disaster, lacks documented procedures for manual processing when computers are not functioning, and personnel are not trained on all responsibilities relating to recovery.
Does disaster recovery require more funding?
Disaster recovery requires adequate funding, Hamlin said.
Improvements can be made even if extra funding is not available, Halwes said. “Sometimes the remedy is more funding, sometimes the remedy is finding a way to redeploy resources in a different way,” Halwes said. He pointed out that the Office of Administration is working to meet audit recommendations with the funds available.
The Office of Administration is complying with the audit’s advice for upgrading security and planning for disaster recovery, Hamlin said.
“We appreciate the audit, we agree with the recommendations and we are instituting them to the extent that resources allow,” Hamlin said. “Taxpayers should know that their tax dollars are being managed carefully.”