Auditor critical of IT department in probe
A draft audit CLEVELAND — report on Cuyahoga County’s troubled IT Department raises questions about the authority and oversight of the department’s general counsel, Emily McNeeley, who is a focus of an ongoing corruption investigation.
Internal Auditor Cory Swaisgood suggests that the general counsel, whom he doesn’t name, had been given too much authority and was not adequately supervised by the county Law Department despite assurances to the contrary by county Law Director Robert Triozzi.
Swaisgood also suggests the county seek to recover $119,782 in payments to OneCommunity, a highspeed internet provider, for services that could not adequately be reconciled during the audit. Scot Rourke, the county’s IT director, is OneCommunity’s former chief executive.
Rourke also is a focus of the corruption probe by the County Prosecutor’s Office, and has been placed on leave along with McNeeley.
A draft copy of the audit was leaked Thursday to cleveland.com after the administration of County Executive Armond Budish tried for weeks to keep the document secret by claiming it was not a public record - an assertion disputed by an expert on Ohio’s public records laws.
The Budish administration released its version of the draft audit after learning that cleveland.com had a copy. The county’s version contains management responses to the report’s recommendations. In most cases, management states that its in agreement, at least partially, with the findings and in some cases has already implemented changes.
A copy of the county’s version of the draft audit can be read below.
Here are some of Swaisgood’s findings along with some management responses:
■ The IT Department lacked adequate segregation of duties, which resulted in McNeeley performing legal reviews and approvals of contracts while also serving on the department’s leadership team. Management took no position on the segregation of duties issue because it is subject to investigation by the county prosecutor’s office.
■ McNeeley had access to perform - and at times did perform - multiple functions: requestin§g a procurement, giving departmental approval for the procurement, obtaining documents from vendors, and giving legal approval of the same procurement. Management partially agreed with a recommendation that the IT Department should institute logical controls to prevent on person from approving multiple steps.
■ Swaisgood suggested that the legal review of contracts should be independent from the department requesting the contract in order to reduce the risk of procurement fraud. Management disagreed.
■ The deputy chief information officer and McNeeley made the decision to go live with a new version of the OnBase data management system in July of 2017 against the desires of the director of Office and Procurement and Diversity, resulting in flawed performance.
■ While Triozzi reported that his department supervised McNeeley’s work, Swaisgood obtained no evidence that the Law Department adequately supervised McNeeley and noted McNeeley was categorized as an IT employee and paid out of IT’s budget.
■ Nearly half of the IT Department contracts, purchase orders and other deals reviewed for the audit - 47 of 96 - were awarded without competitive bidding and Swaisgood found no evidence that efforts were made to identify other possible vendors. The deals were worth more than $3.6 million. Swaisgood noted that competitive bidding ensures that taxpayers get the best value and reduces the risk of fraud. Management said it’s committed to following rules related to competitive bidding.
■ The user ID of a terminated employee from the Office of Budget and Management was used 25 times to perform required OBM approvals of more than $27 million in ontracts. In one case, the user ID was used 120 days after the employee’s termination date. The audit report notes that a new version of the software prevents terminated employees from gaining access.
■ The IT Department set effective dates on 29 contracts and other deals totaling more than $6 million before the deals were approved.
■ The IT Department failed to obtain all required review authorizations on 30 contracts or other deals totaling more than $27 million.
■ Required review authorizations were made on 62 contracts or other deals totaling more than $31 million after the deals already had been approved.
■ Swaisgood could not properly analyze data in the OnBase system because it did not have the capacity to generate adequate reports.
■A technical advisory committee established in 2012 to advise whether IT purchases and contracts comply with county standards has not been operating in compliance with state open meetings law.
Swaisgood began the audit as a matter of routine review of county operation. He expanded the scope in light of the corruption investigation. The audit includes a review of procurement practices, contract-related transactions and various controls to make sure systems are working as intended.
Budish also released the following statement on Thursday.
“We appreciate the good work of the Internal Auditor. With the exception of issues relating to two employees (who are subject to a separate investigation), the legacy weaknesses identified in systems of IT and procurement have generally existed for many years. The timing of this audit is particularly helpful, as it enables us to improve our processes at the same time we are beginning to implement a new, integrated, system-wide computer program (ERP). As can be seen from the management responses, we are adopting almost all of the recommendations made in the audit. The integration of process improvements into the new ERP system should make us much more efficient and save money in future years.