Sunday, October 5, 2014

[Sutter County] Supervisors agree audit not followed



October 4, 2014
Appeal-Democrat
Andrew Creasey

The Sutter County Board of Supervisors agreed in part with grand jury findings the county's Information Technology Department was not in compliance with a 2011-12 audit report.

The grand jury found terminated employees still had access to financial applications, passwords required to access systems were not complex, independent security testing is not performed periodically and information technology risks are not formally documented, evaluated and addressed periodically.

The IT Department was audited by CohnReznick in fiscal year 2012-13, which made several recommendations about IT policy and procedure that were not implemented, according to the grand jury report.

IT Deputy Director Michael Baker told the grand jury the department is understaffed and under-budgeted and that to implement the recommendations of the report would be costly and time- consuming.

Many of the issues have been rectified since the IT Department was reorganized into the General Services Department in July 2013, according to the board's response.

A new policy was implemented in January 2014 requiring passwords to be changed at regular intervals while adhering to password complexity criteria.

The county financial system's security has been revamped. Every account has been re-evaluated, and access to the system has been restricted based on the individual user.

The county has spent about $318,000 overall on the implementation of its financial system, said Chuck Smith, county spokesman.

In May 2014, the county became an official member of the Multi-State Information Sharing and Analysis Center, which provides cyber security services.

The county also developed an IT Strategic Plan with Curt Dodds, an IT strategy consultant, at just under $6,000.

The grand jury report also recommended the IT Department request additional funds to comply with the audit report.

"The board cannot concur with (that recommendation) if it is not prepared to grant that additional funding immediately," Smith said in an email.

In the response, the board said it acknowledges the needs of the IT Department but must balance those needs with other areas.

"Continued budget constraints and the competing priorities of the county are expected to continue for the foreseeable future, and will force the county to make difficult decisions regarding funding any new programs and efforts," the response stated.

The county was also concerned about the term "compliance" in the grand jury report. There is no requirement to be in compliance with the independent audit, Smith said.

CONTACT reporter Andrew Creasey at 749-4780 and on Twitter @AD_Creasey.

No comments: