Missouri's financial and human resources management system has security gaps — including that former employees still had access more than a month after the end of their employment — according to a report released Monday by State Auditor Nicole Galloway.
The state's Office of Administration disputed that the security issues are as serious as reported in the audit.
Galloway's office had investigated the Statewide Advantage for Missouri system, or SAM II, and the state's eProcurement system, MissouriBUYS, that uses SAM II for financial processing.
SAM II provides accounting, budgeting, procurement, inventory, and payroll and personnel capabilities for state departments and agencies, and processes revenue, expenditure, payroll, transfer and adjusting transactions.
SAM II's financial system was implemented in 1999, and the human resources system was implemented between November 2000 and June 2001. The state began the process of replacing the system in the 2019 fiscal year; a contractor was selected in April to develop the request for proposals for a new system.
OA manages SAM II, which has more than 4,500 system user accounts. MissouriBUYS has 1,300 user accounts.
MissouriBUYS is a virtual marketplace between vendors and state departments and agencies. The system was fully implemented in 2018. MissouriBUYS is provided by a third-party contractor, and the state pays a subscription fee to use the software while retaining responsibility for user account information.
SAM II handled about $40 billion in transactions in the 2019 fiscal year, according to a news release from Galloway's office, but the system has "security control weaknesses that could leave the system vulnerable to unauthorized or inappropriate transactions."
The audit of SAM II found that "user accounts of terminated employees are not always removed timely, meaning former employees could still access the system."
The audit found that 30 days or more after their termination, 21 former employees from seven state departments, the Legislature and the Missouri Consolidated Health Care Plan still had access to SAM II. The most former employees from any single department was from the Department of Public Safety, with six users in the human resources system and another in the financial system who had been terminated.
The audit also found that 41 former employees from 12 state departments and offices still had access to MissouriBUYS 30 days or more after their terminations. The most from any single department was from the Department of Corrections, which had 18 terminated users.
Another security weakness found was that system settings "also could allow two users to approve their own transactions without review or additional approval from an independent party," there was increased risk of improper activity because of inadequate controls for system security administrators, and OA management "has not fully developed policies and procedures for SAM II administration."
Out of the 41 MissouriBUYS accounts identified, OA management reported to audit staff that the agency security coordinator had not submitted a removal request to the system's security administrator on 39 accounts for more than 30 days after the users terminated employment; that delay in requesting former employees' removal from the system was longer than six months in the case of 32 of those 39 accounts.
Most of the accounts were inactive, but one was still active as of Oct. 4, 2019, for a user who terminated employment in May 2019. "The OA did not receive a removal request for this account until Oct. 7, 2019, after audit staff alerted the agency," according to the audit.
The audit recommended monthly reviews of user accounts and development of additional procedures to identify accounts that no longer need access and remove them in a timely manner.
"We do not agree that risk associated with unauthorized access to the SAM II system is as significant as reported in the audit because a user must access the state network in order to access the accounting system. The audit fails to acknowledge or evaluate this initial security measure," according to the OA's response, included in the audit.
However, Galloway commented that the risk of inappropriate access is not fully eliminated by the necessity to be on the state network "because certain users can access the state network from remote locations. Further, the control is not effective in situations where a user transfers from one state agency to another, and thus legitimately retains access to the state network."
The OA did change its security measures regarding administrators' ability to enter transactions without someone else's permission, though the office did not go into details in its comment to the auditor, other than periodic, random samples of administrator actions will be studied.