State audits suggests better controls on procurement cards and confidential computer information

By Cy Ryan

Thursday, Feb. 2, 2012 | 9:48 p.m.

The state should impose tighter control on the use of its purchase cards by its employees and should also do more to protect confidential information stored in its computer systems.

A legislative audit of the state Building and Grounds Section said, “While we did not find instances of fraud or abuse, items purchased can be easily converted to personal use, making proper and effective controls necessary.”

The audit of the state Division of Enterprise Information Technology Services said sensitive data needs better protection in the computer system. In one instance, “confidential information of social security numbers was posted on a state website that was viewable to anyone on the Internet,” said the financial examination.

But the auditors said no one apparently looked at the Social Security numbers, and the information was quickly removed from public view once it was discovered by the examination.

In the audit of the building and grounds agency, one state worker stationed in Las Vegas used his purchase card to buy $11,000 in goods that could have been easily converted to personal use.

The purchase cards have limits ranging from $250 to $3,000. But the state workers get around this by splitting the purchase into two segments. For instance, in one case, the employee’s limit was $2,000, but the item cost $2,334. So the state worker paid $1,900 in one transaction and $434 in a second one.

The audit said building and grounds “has significant monthly and annual exposure to potential loss because it has issued procurement cards to most employees and monthly limits are high for certain cards.”

The agency has issued 47 procurement cards to its 81 employees, but the audit said it found that 12 workers used their cards less than 25 times during the18 months examined.

The examination of buildings and grounds found many errors in the handling of lease office space for state agencies. In one instance, an agency overpaid its rent by $116,000 over six quarters.

The legislative audit alerted buildings and grounds of the overpayment and the lessor reduced later quarterly payments.

In the examination of the computer system, the state division does not provide adequate protection for the occupational licensing boards that collect Social Security numbers from those they regulate, the audit found.

The audit said the release of this confidential information can be costly if somebody brings suit.

“It also undermines public trust of state agencies that collect confidential personal information,” the audit said.

The plan for the computer system to recover from a disaster is outdated, the audit also found. Parts of the plan have the names and phone numbers of workers who retired from or left the state government 10 or more years ago.

“We also found that the disaster recovery computer hardware that is currently available is not adequate to restore all state server-based computing operations,” the audit said.

The reports were released to the Legislative Audit Subcommittee on Thursday.