Monday, January 22, 2024

State Auditor Says Secretary of State Withheld Information on Implementation of Cybersecurity Law

By the Missouri State Auditor's Office

An audit report released Monday by State Auditor Scott Fitzpatrick gives the Missouri Secretary of State's Office a rating of "fair," which is a downgrade from the office's last audit that had a rating of "good."

The report details how the Secretary of State's Office (SOS) refused to provide information on the office's implementation of a new statutory requirement to perform cyber security reviews of Missouri's 116 local election authorities (LEAs). Despite the fact that Missouri law requires the disclosure of the information to the State Auditor's Office (SAO), the SOS refused to provide the names of LEAs receiving cyber security reviews, LEAs planned to receive future reviews, or the results of the reviews that have been conducted.

In 2022, the Missouri Legislature passed House Bill 1878. Among the numerous election related provisions contained in the legislation was a new requirement that the SOS and LEAs receive a cybersecurity review once every two years. Because the SOS refused to cooperate, audit staff were unable to obtain sufficient evidence to evaluate the steps taken by the SOS to comply with the new state law. While the SAO did not pursue legal remedies to obtain the information, it did determine through other means that, at a minimum, most of the cyber security reviews appear to have been completed. The audit recommends the SOS provide information requested by the State Auditor as required by state law.

"Public trust in the electoral process is the cornerstone of our democratic institutions. The legislature passed HB 1878 with the goal of providing Missourians confidence that their voices are being accurately and securely recorded at the ballot box. With a major election cycle right around the corner, verifying the implementation of the new cyber security reviews was a vital part of our audit. The law clearly provides our audit staff with the authority to receive and review this information, and it's disappointing the Secretary of State's Office stood in the way of our efforts to perform a thorough analysis of how the new cyber security reviews have been implemented," said Auditor Fitzpatrick. "Going forward I hope the office, and all governmental entities, will follow the law and respect the duty we have to provide taxpayers with a better understanding of how government is operating and that their tax dollars are being used efficiently."

The audit also found a decision made by the Secretary of State's Office to leave the Electronic Registration Information Center (ERIC) will cause local election authorities (LEAs) to have less information to identify and correct inaccurate voter records because the SOS did not have a plan to replace the benefits received from membership with ERIC.

In September 2017, the Missouri Association of County Clerks and Election Authorities (MACCEA) unanimously passed a resolution urging Missouri to join ERIC to "improve the efficiency and quality of voter registration list maintenance."  Shortly after the MACCEA adopted the resolution at their 111th Annual Conference, the SOS became a member of ERIC in January 2018. According to Secretary Ashcroft, the state joined ERIC to make elections better, make voter rolls more accurate, and bring greater trust to the election process.

As the SAO attempted to evaluate the efficacy of ERIC membership, SOS officials refused to provide reports from ERIC or details of how many deceased voters, cross-state movers, or duplicate voter registrations were identified by ERIC data reports. This refusal necessitated that audit staff obtain this information directly from ERIC. The data shows during the five years the state was a member of ERIC, the SOS and local election authorities (LEAs) were provided information on over 770,000 potentially duplicate voter registration records and over 21,000 deceased voter registration records. Election administrators in Missouri's largest election jurisdiction, St. Louis County, used ERIC reports to remove thousands of deceased voters from their voter rolls alone.

According to the audit, the SOS did not fully evaluate the benefits received from ERIC prior to terminating the membership. The SOS did not track and analyze the summary data received from the ERIC reports or the results of the LEAs' investigations of the potentially inaccurate records identified by ERIC. Prior to making the decision to terminate ERIC membership, SOS officials did not consult the LEAs even though they are the primary users of the reports generated by ERIC. Since the departure, county clerks have publicly stated their list maintenance efforts will be less efficient and more tedious as they will have to rely on pre-ERIC methods to ensure the accuracy of their voter rolls. The audit concludes that while the SOS has recently undertaken efforts to replace the benefits received from ERIC, those efforts have not been fully implemented and it is unlikely those procedures will fully offset the value received from the ERIC membership. The report recommends the SOS take action to make sure the LEAs have the most appropriate data available to ensure the completeness and reliability of the state's voter registration data.

Fitzpatrick said, "I can respect why Secretary Ashcroft felt it was necessary to end the relationship with ERIC, but that doesn't negate the responsibility to have a plan to replace that data so the office has a reliable way to ensure we don't have dead voters registered in Missouri as we enter a major election year."

The audit report also includes a finding from the 2023 Annual Comprehensive Financial Report - Report on Internal Control, Compliance, and Other Matters, which found the SOS did not have adequate controls and procedures over financial reporting of accounts receivable. As a result, civil penalty accounts receivable data submitted to the Office of Administration for inclusion in the financial statements for the year ended June 30, 2022, was misstated. If the resulting misstatements had not been identified during the audit, Government Wide - Governmental Activities and Public Education Fund net accounts receivable and related liability balances would have been overstated by at least $9.7 million in the financial statements.


No comments: