Auditor Of Public Accounts
Luallen releases ‘Auditor’s Alert’ on lessons learned from Bullitt County electronic payroll theft of nearly $416,000

Press Release Date:  Wednesday, August 05, 2009  
Contact Information:  Contact: Communications Director
Phone: (502) 573-0050
Fax: (502) 573-0067Email: APA.PressReleases@Auditor.ky.gov
Website: http://www.kyauditor.ky.gov
 


FRANKFORT, KY (8-5-09) State Auditor Crit Luallen today released an “Auditor’s Alert” to all county governments regarding lessons learned from a recent Bullitt County Fiscal Court theft of nearly $416,000.

 

In June 2009, $415,989 was taken from a Bullitt County payroll account through fraudulent electronic payment transactions using malicious software installed by an unauthorized intruder on a Bullitt County computer.

 

Based on the examination of this incident, Luallen’s information technology auditors created more than two dozen recommendations that should be considered when evaluating government information technology security policies.

 

“These are best practices that can be implemented to ensure effective security for any government agency,” Luallen said. “Our objective is to shed light on this type of risk and to offer solutions to prevent future cases.”

 

Luallen said her office, through an Auditor’s Alert, periodically offers guidance and recommendations regarding fiscal matters, accountability and best practices to governmental agencies across the state.

 

Because the auditor’s office audits fiscal courts, it examined the Bullitt County incident and created recommendations to assist local governments statewide.

 

According to the alert, a “defense in depth” is recommended, where a multi-layered approach to information security provides the most efficient and effective defense against unauthorized system access. 

 

“Simply put, there is not one single step that can be taken to provide sufficient information security. Instead, several steps must be put in place to create effective security,” according to the alert.

 

The Auditor’s Alert is attached; however, a more comprehensive discussion of these best practices is available on the Auditor’s website, www.auditor.ky.gov/Public/BJSecurityapp/bestpractices.html