State CIO Shawn Riley assuages legislators' worries by detailing how his department has found 100 of the 217 unaccounted-for devices stated in recent audit findings and his plan to prevent future clerical errors.
The North Dakota Office of the State Auditor has scrutinized the inventory processes of the Information Technology Department [ITD] since auditors first recommended a modernization in 2015. Now, CIO Shawn Riley has informed legislators that his agency has implemented a new fixed asset tracking system.
Riley said in a prepared statement that the new inventory method will automate entries and reduce the number of clerical and manual errors, which caused about 217 pieces of office, network and computer equipment, and devices to be unaccounted for. Of the 217, 24 devices had the potential to contain sensitive information, such as addresses, social security numbers, and usernames and passwords of state employees and residents.
In his presentation, Riley informed the committee that the unfound number has dropped to 117 and that 10 of the 24 pieces of equipment potentially carrying personal information were either recycled or wiped and sent to state surplus.
North Dakota state Rep. Corey Mock, chairman of the committee, said usually his legislative group doesn’t ask Riley to address audit findings, but due to the high volume of missing items and the accompanying price tag of more than $90,000, he was curious about how ITD planned to mitigate the issue.
“I feel pretty confident and looking at the list and talking to them about unaccounted-for items that this was more of a bookkeeping issue than it was items walking out the door and no one being held accountable,” Mock told Government Technology.
Mock said Riley assuaged his cost concerns by clarifying that the audit’s estimate was based upon when the equipment was originally purchased and not its current value.
“What we found out is that those were purchase prices and it’s kind of akin to saying that the laptop you bought in 2004 and you spent $1,500 on you’d have to pay someone to dispose of it today,” Mock said. “It’s not worth $1,500 anymore and effectively it’s worthless.”
Office of the State Auditor Director Don LaFleur said the first his auditors learned of the new fixed asset tracking system was during the exit conference for the most recent audit.
“I don’t know if the new system in and of itself is necessarily going to correct [the inventory process] unless they still make an effort on things that they can’t find in their yearly inventory,” LaFleur said. “Maybe it’ll give them better records so that items that they’ve decommissioned can get updated properly to show it that way. It might help them in that regard, but there’s probably going to be some missed assets that are just misplaced, and they don’t know where they are at.”
He noted ITD was transparent during the process and handed over all data necessary for the biannual audit, which in addition to inventory processes looked at the department’s budget and blanket bond coverage. The next Office of the State Auditor review of the department will span the period of time from July 1, 2019 to June 30, 2021.
“What we’re asking them to do is the ones that we consider sensitive, the ones they should consider sensitive, they should find them,” LaFleur said. “Whatever it takes to find them. That’s what they’re not doing.”
Riley said in his prepared statement that his department has added procedures to the physical inventory process to document the search for unfound sensitive items.
“Good stewardship of resources and sensitive information is fundamentally important in our role serving citizens,” Riley said. “The Information Technology team is committed to ensuring that procedures and protocols are in place to track all inventory and assets effectively, while protecting our state systems and citizens’ data.”
ITD deployed a security team to identify equipment containing personal information and to locate the 24, 10 of which have been found. Riley told legislators he expects a continual decrease in the remaining number of missing devices, but it will most likely not be zeroed out.
“We appreciate the subsequent audit that confirmed the need for improvement and the importance of the steps taken to strengthen these procedures,” Riley said in his statement. “These steps are an important part of maturing our overall statewide IT service management approach, which was presented and approved in the recent legislative session, and includes asset tracking as well as other components.”