A legislative audit is shedding light on the issues that allowed a former state employee to allegedly embezzle nearly $2 million.
Officials say it may be more than just financial oversight. It potentially also involved an IT problem – one that was missed by a previous audit.
Lawmakers at the latest Government Operations and Audit Committee, or GOAC, meeting took special interest in one particular finding of the Department of Legislative Audit’s fiscal year 2023 report. It was the section that found “material weakness” in the Department of Social Service’s control over payments of Temporary Assistance for Needy Families funds.
Of the 60 claims auditors tested, 53 had no evidence that more than one person was involved in the authorization of payments.
Auditor General Russell Olson, head of the Department of Legislative Audit, detailed the DSS issue during his presentation on the broader report. A few minutes into the explanation, he was interrupted by Rep. Tim Reisch, who asked a question likely on the minds of many.
“Unless I’m missing something, this is describing exactly what happened in the charges being brought against a former DSS employee," Reisch said. "Is that correct?”
Reisch is referring to the case of Lonna Carroll, the former DSS employee accused of embezzling $1.8 million between 2010 and 2023.
Olson said DSS uses a system called “Family and Child Information System,” or FACIS, to handle claims. He said the system handles a "tremendous amount of claims" - around $7.2 million in 2023 alone.
FACIS is designed to require two people for every claim: one to request, and another – a supervisor – to approve.
“Part of it got down the fact, that the way the system was set up and intended was there. The only problem got down to how some of the rights were assigned,” Olson said.
It boiled down to permissions within the software. Olson said some staff were assigned both the ability to request claims – and approve them.
It’s important to note Olson was not speaking to Carroll’s particular case, only what the audit found. Throughout the discussion, Olson was careful not to answer questions specific to Carroll's criminal case, which is being investigated by the attorney general's office.
But, as Reisch noted, the issues Olson laid out would explain how one person could process claims without anyone else noticing.
DSS has used the FACIS system since 2000. Olson said it was last audited in 2020. That audit did not catch the problem.
Rep. Hugh Bartels is a GOAC member and retired banker. He said based on his experience in finance, this type of problem can slip by a regular audit.
“I think the problem that they’re talking about is an IT problem that normally isn’t discovered when you review procedures. If someone has too many permissions, that’s something that’s not something that a financial audit is going to catch," Bartels said. "In the financial world, we have what’s called IT audits, and we hire companies that don’t even have CPAs in them to do them, to look for those types of problems. So, I think this is something we need to adjust as we go forward – do some more IT-based audits.”
Investigators say Carroll embezzled the money over a course of 13 years. It wasn’t caught until this February when DSS staff noticed it during an update of the FACIS system. Olson said after DSS found the issue, they notified his office, prompting the audit.
The audit recommended DSS should strengthen control of its approval system. In a statement, DSS said additional safeguards have already been implemented.
But some lawmakers on the committee expressed skepticism. Sen. David Wheeler questioned whether the audit uncovered the root issue.
“This is $1.8 million. And we have one internal control recommendation regarding, 'don’t have the same person approve claims that requested claims,'” Wheeler said. “I have a hard time believing that’s the only issue causing this thing. That there’s other things going on somewhere, whether it’s other internal controls or internal agency conditions or personnel matters – whatever it might be – that contributed to cause that kind of loss. “
Other lawmakers questioned whether problems like these are happening elsewhere in state government.
Olson said he couldn't speak offhand on the results from other audits, but he said reviewing their systems would be a standard part of the process. He did say that no other department or agency uses the FACIS system.
Earlier in that same GOAC meeting, lawmakers laid the groundwork for an investigation into the governmental failures that allowed the alleged embezzlement to take place. They’re tentatively planning for a special meeting in October. Lawmakers hope by then, they’ll have a better idea of what specifics they’ll be able to discuss without interfering with the criminal case.
