Auditor Of Public Accounts
Luallen releases special examination on Bullitt County electronic payroll theft of nearly $416,000 in June
State Auditor Crit Luallen today released a special examination on an electronic payroll theft of nearly $416,000 from Bullitt County Fiscal Court in June.
The examination offers numerous recommendations to the county for strengthening online banking and information technology resources.
Luallen’s office became aware of the June theft of $415,989 from a Bullitt County payroll account from Louisville media reports.
Because her office audits county fiscal courts, Luallen sent a team of information technology auditors to Bullitt County since the theft occurred through fraudulent electronic payment transactions using malicious software installed by an unauthorized intruder.
Luallen’s IT auditors reviewed the county’s internal controls and procedures governing the processing of automated payroll transactions and gave the county recommendations for improvement.
“With today’s technology, the threat to a county’s computer systems is real if the proper defense isn’t in place,” Luallen said. “There isn’t one single step that can be taken to provide sufficient information security. Instead, several steps must be put in place together to create effective security, and our examination gives the county those steps.”
According to the examination, the county established an online banking account with a local bank in August 2007.
Although access to the account was provided to eight individuals, based on the month of transactions reviewed by auditors, it appears only three of these user accounts were being used on any normal basis – the treasurer, the county judge-executive and the assistant treasurer.
“The county took responsibility for the use of the online banking service at the time they established the account. When dealing with a vendor for a service, especially one that could potentially affect a bank account, it is imperative for the county to be as knowledgeable as possible of the responsibilities they are assuming and establish appropriate controls in procedures to mitigate potential risks,” according to the examination.
Auditors found that the county did not have procedures in place to respond to questionable transactions related to the online account.
“There were several instances where questionable batches were noticed by county staff or questionable transactions were brought to the county’s attention from the bank; however, there was no formal process in place to ensure that these instances were fully resolved to the satisfaction of the county management,” according to the examination.
Auditors found that the county did not consistently use centralized email accounts or enforce spam filtering for incoming email transmissions.
According to the examination, during 2009, a centralized e-mail address was established for county employees; however, employees were not consistently using these e-mail accounts. There were employees using other accounts for county business purposes through e-mail providers such as Windstream, Yahoo, AOL, and Hotmail.
“Without centralized e-mail accounts with properly established spam blocking software in use, it increases the susceptibility of the county to known malicious software. It is the county’s responsibility to protect its IT resources from malicious software (viruses, Trojans, worms, hoaxes, etc.),” according to the examination.
The examination’s findings and recommendations can be viewed at www.auditor.ky.gov.
In a letter to the Auditor’s Office in response to the examination, the county refers all questions and comments to the Bullitt County Attorney.
“Due to the fact that Bullitt County Fiscal Court is currently in litigation with First Federal Savings Bank because of the electronic theft of county funds, I am referring all questions and/or comments to Walt Sholar, the Bullitt County Attorney,” said Melanie J. Roberts, Bullitt County Judge-Executive.
Luallen said the events that occurred in Bullitt County can be lessons learned for all governments.
In August, Luallen sent local governments statewide more than two dozen recommendations, based on lessons learned from the Bullitt County incident, which should be considered when evaluating government information technology security policies.
This information was in the form of an “Auditor’s Alert,” which periodically offers guidance and recommendations regarding fiscal matters, accountability and best practices to governmental agencies across the state.
Luallen and her staff also provided three presentations on the Bullitt County issue to attendees at the Kentucky Department of Local Government’s Local Issues Conference in Louisville on Aug. 18.
The Auditor’s Alert is available on the Auditor’s website.