Auditor Galloway finds state's financial and human resources management system needs better security controls

Audit on Statewide Advantage for Missouri (SAM II), recommends steps to reduce risk of unauthorized or inappropriate activity

State Auditor Nicole Galloway has released an audit of the Statewide Advantage for Missouri (SAM II) system, which handles billions of dollars in financial transactions each year for the state of Missouri. The report found security control weaknesses that could leave the system vulnerable to unauthorized or inappropriate transactions.

SAM II is managed by the Office of Administration (OA) and has more than 4,500 system user accounts. The audit also covered MissouriBUYS, the state's eProcurement system that uses SAM II for financial processing and has more than 1,300 user accounts.

"In fiscal year 2019, the state used SAM II to process about $40 billion in transactions," Auditor Galloway said. "Appropriate security measures are vital in safeguarding the taxpayer dollars that go through this system. I encourage OA officials to follow through on the recommendations in the audit to ensure those safeguards are in place."

One of the vulnerabilities found in the audit was that user accounts of terminated employees are not always removed timely, meaning former employees could still access the system. The audit found that 30 days or more after their termination, 21 former employees still had access to SAM II and 41 former employees still had access to MissouriBUYS.

Another weakness in the financial system security settings also could allow two users to approve their own transactions without review or additional approval from an independent party. The audit also found that inadequate controls for system security administrators increased the risk of improper activity in SAM II, and that OA management has not fully developed policies and procedures for SAM II administration.

Audit recommendations include performing periodic reviews of user accounts to ensure access is more promptly terminated for former employees and that the access given to security administrators is appropriate.

A complete copy of the audit, which gave a rating of fair, is available here.