Thursday, February 09, 2023

State auditor: Missouri's financial and human resources management system needs better security controls

 


(From State Auditor Scott Fitzpatrick)

State Auditor Scott Fitzpatrick has released an audit of the Statewide Advantage for Missouri (SAM II) system, which handles billions of dollars in financial transactions each year for the state of Missouri. The report found security control weaknesses that could leave the system vulnerable to unauthorized or inappropriate transactions. Several of the findings were also reported in the previous state audit of SAM II, released in December 2019.

SAM II is managed by the Office of Administration (OA) and has more than 4,000 system user accounts. The audit also covered MissouriBUYS, the state's eProcurement system that uses SAM II for financial processing and has more than 1,900 user accounts.








"In fiscal year 2022, the state used SAM II to process about $47 billion in expenditure transactions," Auditor Fitzpatrick said. "Appropriate security measures are vital in safeguarding the taxpayer dollars that go through this system. I encourage OA officials to follow through on the recommendations in the audit to ensure those safeguards are in place."

One of the vulnerabilities found in the audit was that user accounts of terminated employees are not always removed timely, meaning former employees could still access the system. The audit found that 30 days or more after their termination, 15 former employees still had access to SAM II and 13 former employees still had access to MissouriBUYS.

Another weakness in the financial system security settings identified three users who had the ability to approve their own transactions without review or additional approval from an independent party. The audit also found that inadequate controls for the system security administrator increased the risk of improper activity in SAM II, and that OA management has not fully developed policies and procedures for SAM II administration.







Audit recommendations include performing periodic reviews of user accounts to ensure access is more promptly terminated for former employees and that documented supervisory reviews be performed of security administrator actions. While OA has started Phase 1 of its transition to a new enterprise resource planning system, slated to be fully completed in 2026, the recommended improvements to SAM II should be considered and implemented in the new system to limit system vulnerabilities.

A complete copy of the audit, which gave a rating of fair, is available here.

No comments: