State IT leaders review Ponemon's 2018 Cost of a Data Breach study
September 21, 2018
Government agencies have lower data breach costs, but something less replaceable than cash at risk.
The state's technology agency is required to provide oversight for Minnesota's Information and Telecommunications Account, but was unable to show in many instances that it was reviewing applications or monitoring projects.
Colin Wood is the managing editor of StateScoop. Before that, he was a staff writer for Government Technology magazine. Before that, he taught Engl...
Minnesota's state technology agency, already under scrutiny for spending $100 million on a long-troubled vehicle license and registration system, is now being accused of failing to properly manage a special account for technology projects.
The Minnesota Office of the Legislative Auditor released a report Thursday stating that Minnesota IT Services, also known as MNIT, "generally did not comply with significant legal requirements," nor its own policies, to manage the state's Information and Telecommunications Account.
MNIT is responsible for providing oversight of the ITA, which agencies may divert unspent funds into at the end of every biennial budget cycle. The fund was created in 2006 as a way for agencies to roll over unspent budget dollars without losing the funding, provided they received approval for project plans that met certain requirements. But MNIT, the report says, "did not provide adequate oversight" for the account or those who have been using it.
Since 2007, agencies have transferred more than $79 million into the account for 209 projects and as of March 2018, the account had a balance of $23 million and 95 of those projects remained incomplete.
One of the key findings of the report is that MNIT did not have controls in place for projects that left unspent funds in the account.
Agencies are permitted to divert funds into the account for agency-specific technology projects or projects that reach across the enterprise. The Minnesota Department of Revenue, for instance, used the ITA to pay for upgrades to GenTax, a tax return management system. Meanwhile, many agencies transferred funds into the account to pay for data center consolidation, a project that affects the entire enterprise.
Auditors say they received "full cooperation" from MNIT during the investigation, but that "MNIT management provided us with inconsistent explanations and timelines regarding which policies were applicable to projects funded through the Account."
Additionally, changes made to how the agency tracks projects since the account's inception made it "difficult," auditors said, to determine basic information, such as the number of projects that had been approved for the account.
MNIT implemented more rigorous oversight policies in 2014 that required project teams to report monthly to MNIT on how ITA projects were progressing, and in 2015 MNIT created a Enterprise Program Management Office that provided resources like a user guide and project-documentation templates designed to improve account oversight. But, the audit notes, there were many instances of MNIT being unable to provide proof that it had been verifying ITA project requests, monitoring projects after they had been approved, or verifying when projects had been reported as complete.
MNIT regularly submits reports to the state legislature on the account, but the technology agency was also found, the report says, to have submitted inaccurate and incomplete reports that has made it impossible for lawmakers to make effective decisions regarding the account. "MNIT misrepresented the project information in the report in its communication to the Legislature," auditors wrote.
In a letter to state auditors, MNIT Commissioner Johanna Clyborne said her agency's shortcomings in compliance "are reflective of the fact that there are not yet sufficient resources within MNIT’s central, enterprise office to enforce consistent compliance with these more robust internal oversight requirements."
Clyborne also said oversight was improved in 2016 through a partnership between the legislature and Minnesota Management and Budget that created new statutes and a review-and-approval process by the statehouse's Legislative Advisory Commission.
Her letter included specific plans to address each of the report's main findings directed at MNIT.
"We are committed to strengthening further the oversight and enforcement activites surrounding the ITA account," Clyborne said.
MNIT is currently facing four other audits, including three for its management of the Minnesota Licensing and Registration system, or MNLARS, a project that has now cost the state more than $100 million and that the technology agency says needs millions more to finish repairing.
State Rep. Sarah Anderson, the Republican chairwoman for the House State Government Finance Committee and one of the leaders of the legislature's MNLARS review, told StateScoop in an email that she believes MNIT needs a full "top to bottom review."
"I am troubled they omitted information from the Legislature," Anderson wrote. "The slush fund they created doesn’t help our schools, state healthcare needs or even their top priority of cyber security. Mismanagement for the last four years all lead to this moment."