State Auditor Nicole Galloway has released an audit of the Statewide Advantage for Missouri (SAM II) system, which handles billions of dollars in financial transactions each year for the state of Missouri. The report found security control weaknesses that could leave the system vulnerable to unauthorized or inappropriate transactions. SAM II is managed by the Office of Administration (OA) and has more than 4,500 system user accounts. The audit also covered MissouriBUYS, the state’s eProcurement system that uses SAM II for financial processing and has more than 1,300 user accounts. One of the vulnerabilities found in the audit was that user accounts of terminated employees are not always removed timely, meaning former employees could still access the system. The audit found that 30 days or more after their termination, 21 former employees still had access to SAM II and 41 former employees still had access to Missouri BUYS. Another weakness in the financial system security settings also could allow two users to approve their own transactions without review or additional approval from an independent party. The audit also found that inadequate controls for system security administrators increased the risk of improper activity in SAM II, and that OA management has not fully developed policies and procedures for SAM II administration.
Audit recommendations include performing periodic reviews of user accounts to ensure access is more promptly terminated for former employees and that the access given to security administrators is appropriate.