JEFFERSON CITY - Missouri taxpayer dollars are not as secure as they should be, a state audit has found.
The state's accounting system, known as Statewide Advantage for Missouri or SAM II, is not adequately secure from access by outsiders and the department in charge does not have a proper plan to resume business in case the system goes down, the audit reports.
"We looked at the disaster planning, the continuity planning, of the SAM II system, then we also looked at security," Missouri auditor spokesman John Hollis said.
SAM II keeps track of payments made to and by the state and accounts for payroll of state employees. The system processed about $25 billion in transactions in fiscal year 2003, the audit states.
The audit found SAM II, which is managed by the Office of Administration or OA, is accessible by former state employees who still have working user IDs.
"IDs that should have been deleted that are still active pose a security problem," Hollis said.
Some current users have criminal backgrounds in financial-related fields, the audit reports. Of the more than 7,000 employess with access to the system, 146 had criminal records, 46 of which involved robbery, theft or fraud, the audit states.
"We wanted to determine if there was any risk of people with inappropriate backgrounds having access," Hollis said.
The key is knowing who is using the program so they can be monitored, if necessary, Hollis said. The issue is not necessarily refusing access to those with a criminal record. "If someone has a history, you want to know that," Hollis said.
The remedy is already underway, OA spokeswoman Ann Hamlin said. Background checks are now required of anyone who can access SAM II and make informational changes to the system, she said.
"Each state agency will be responsible for doing background checks on employees who can enter and retrieve information from the SAM II system," Hamlin said.
The audit also focused on system recovery, which is the ability to resume business operations in case of a fire or computer crash. The OA lacks a comprehensive recovery plan, the audit found. The OA does not have an offsite facility to continue operations in case of a disaster, lacks documented procedures for manual processing when computers are not functioning, and personnel are not trained on all responsibilities relating to recovery.
Disaster recovery requires adequate funding, Hamlin said.
Improvements can be made even if extra funding is not available, Hollis said. "Sometimes the remedy is more funding, sometimes the remedy is finding a way to redeploy resources in a different way," Hollis said. He pointed out that the OA is working to meet audit recommendations with the funds available.
The OA is complying with the audit's advice for upgrading security and planning for disaster recovery, Hamlin said.
"We appreciate the audit, we agree with the recommendations and we are instituting them to the extent that resources allow," Hamlin said. "Taxpayers should know that their tax dollars are being managed carefully."