Information Technology concerns loom over Rio Arriba County’s 2020 audit.
The audit was performed by Cordova CPAs LLC. The audit states the County overspent its budget by $358,826 during the 2020 fiscal year. County officials said they were resolving the issue and increasing the amount of budget increases and decreases requested at the monthly commission meetings.
Bobby Cordova, a CPA with the audit firm, said there was an increase in financial activity all around for the County in both spending and revenue.
“[The audit] tells the story of fiscal year 2020 and the financial health of the County,” Cordova said. “There’s a slight uptick in revenue, about $2.5 million, mostly in grants and corresponding increases in costs as well.”
Cordova said the largest concern he had was with the County’s cybersecurity.
“Most severe is a major weakness in the IT area,” Cordova said. “There is enough risk that could impact the County. Local governments have become a target for ransomware.”
The previous year’s audit states cybersecurity measures, which were not adhered to, were recommended to the County. It recommended hiring a third party outside source to do cyber-penetration tests to identify vulnerabilities as well as implementing standards for information security.
According to the audit the County was in the process of hiring a third party company to handle these information security questions when it was the target of a ransomware attack, which cost the County $185,000 to pay the ransom and an additional $70,000 to restore the lost systems and the County’s data.
Since then the County has had a formal risk assessment done, and the County is in the process of buying new equipment after which the disaster recovery plan will be updated. The County is still working with Ortiz Systems Incorporated.
Deputy County Manager Leo Marquez said they had recently completed a cyber audit.
“The County is contracting with Risk Sense and they come in and do a cyber audit,” Marquez said. “We just completed this year’s a couple of weeks ago. They come in and they do an assessment, and we use that assessment to ask for a capital outlay to strengthen our backbone and our computer system so hopefully we don’t ever get hacked again.”
The audit identified major deficiencies in Information Technology control. It found a wide range of different operating systems operated on different patches and that the County did not have a consistent system for keeping the computers up to date on current patches.
“Things kinda change, those environments change, the users change, those vulnerabilities or something that wasn’t an issue last month, next quarter might be,” Cordova said. “In today’s environment it’s pretty tough with resources that are limited to eliminate the risks, but how do you mitigate the risks to an acceptable level for you? To live with the day to day operations, and think we’ve done what we can with the resource we have available to us.”
Another major issue identified was grant compliance and reporting. The audit noticed a problem with a Mortgage Finance Authority Grant that started in the third quarter of 2020 but wasn’t caught until the end of the fiscal year. The grant was receiving more money then was expended.
The investigation found that a health and human services employee was using their own tracking system to request funds from the grant instead of the internally controlled one, and reimbursements the County employee was requesting were coming from a different grant and that expenditures requested from one grant were reimbursed to both grants resulting in the County receiving double reimbursement of $55,494 to an expenditure of $23,750 which could result in fines or the grants being revoked.
The County said in its response that it corrected the balance in the accounts and now only one person in the Department of Health and Human services can make grant requests.
Health and Human Services Director Lauren Richelt said the grant was the Youth Homeless Demonstration Project, which was being managed by a new employee.
“A bunch of stuff happened at the exact same time, we moved to Medicaid right as COVID hit so she did not get the supervision she needed,” Reichelt said.
The audit also found that the County was late in its payments to the Public Employee Retirement Association multiple times and at least one employee was underpaid. The audit found that this was because the County did not have a system to review PERA calculations to ensure the right amounts were being sent.
County officials responded and said they were increasing oversight over the Human Resources Department.
The audit also noted one instance where payments to the County were not deposited within 24 hours. In the audit the County pointed out that the day of the mistake was Feb. 21, which was a Friday, had a high amount of people paying taxes all at once and the lone employee wasn't able to leave the window to make a trip to the bank.