Idaho’s new statewide business system lacked a variety of information technology controls for data validation and security, according to an audit summary provided to legislative leaders this week.
Ruma is a large system that centralizes all of the state’s business, budget, procurement, payroll, financial management and human resources systems for all state employees across all 86 state agencies.
State officials launched Luma in July 2023, based in the Idaho State Comptroller’s Office.
“These issues range from operational inefficiencies to data inaccuracies, causing disruption to day-to-day operations and impacting overall productivity,” the audit said. “Contrary to initial expectations, the transition period has proven to be more complicated than anticipated.”
audit He pointed out various problems with Luma. The Idaho Capital Sun previously These include issues such as the allocation of interest to state agencies, delayed payments from states and duplicate Medicaid payments.
Need to get in touch?
Have a news tip?
After implementing Luma, the agency faced “myriad challenges,” according to a root cause analysis audit of Luma’s ongoing business process issues. Publish online An information technology (IT) audit will also be conducted Tuesday afternoon.
The Comptroller’s Office has described Luma as the largest restructuring of a state operations system in Idaho’s history. State officials say Luma replaces what they call an outdated and weak system.
Luma challenge blocks Idaho from distributing $101 million in interest revenue
“The State Auditor’s Office has relied on a reactive approach to breaking fixes. Their remediation efforts have been driven primarily by individual issues identified and reported by end users, rather than proactively identifying gaps and addressing the issues more comprehensively,” said April Renfro, audit division manager for the Office of Legislative Services. Legislative Council The meeting will take place Monday at the Idaho State Capitol in Boise.
This month, Idaho Two audits of Luma by global accounting firm Baker Tilly.
Renfro said he believes the Idaho State Auditor’s Office will submit a corrective action plan following the audit.
The Idaho State Comptroller’s Office did not immediately respond to a request for comment.
Audit results are ‘inadequate’, finding 60% of data and security controls failing
In a presentation to congressional leaders, Renfro said specific information would be discussed with lawmakers in closed-door executive sessions.
Renfro said the IT audit came to a “weak conclusion,” finding a 59% failure rate across the 101 Luma controls analyzed. According to the report, auditors identified two main areas of risk: 23 deficiencies related to a lack of data validation and 37 deficiencies related to an informally managed security and privacy program.
But those findings vary in severity, with some relating to policies and procedures and others being more significant and relating to data validation procedures, she said.
She said security and privacy controls are largely informal and undefined, and data validation controls by the Idaho State Auditor’s Office are inconsistent and not documented or set up.
“Critical Security Configurations and Infrastructure “While it has been effectively implemented and managed by the State Comptroller’s Office, (the agency) recognizes the need for stronger governance controls, including designing documentation, updating policies and procedures, and implementing key security and privacy processes,” Renfro said in a statement.
After Renfro’s presentation, Sen. Scott Grow (R-Eagle) questioned him about the risks of publicly discussing the audit results.
“How public is this summary? … Where it acknowledges areas of deficiency, it’s kind of giving a road map for someone to come in and try to attack the system,” questioned Groh, who is co-chair of the Legislature’s Joint Finance and Appropriations Committee.
While it sounds like a roadmap has been laid out, Renfro responded, “It doesn’t lay out a roadmap at a level that makes people think they can do it.”
The Legislative Council met in executive session on Monday for about an hour in closed session to “discuss statewide security and related intelligence.”
Get morning headlines delivered to your inbox
What we already knew about Luma’s problems
Luma replaces a series of outdated business systems dating back to 1987 and 1988 that officials with the Idaho State Comptroller’s Office said were past the end of their useful life and vulnerable to security threats and natural disasters that could take physical data centers offline.
The Idaho Legislature approved the creation of Luma in 2018. House Bill 493The company estimates that implementing the new system will cost $102 million over five years.
Since last fall, the Idaho Capital Sun has reported on a number of challenges, procedural glitches and data errors that hindered Luma’s launch, including:
- Idaho Incompetent The goal was to distribute more than $100 million in interest payments to state agencies. This was one of several Luma-related issues Idaho Treasurer Julie Ellsworth revealed to The Sun in February. Idaho Comptroller Brandon Wolf said the goal was to resolve the payment issues by the end of that month. In a presentation to the JFAC that same month, Wolf emphasized that Luma was operational but not yet optimized.
- When the state introduced Luma in July, fewer than 50% of state employees Completed Basic Level Training At Luma.
- In November, the state made more than $32 million in duplicate payments to the Idaho Department of Health and Human Services; Due to the fact that over 3,000 transactions from November 27th were duplicated, Idaho Freedom Foundation We were the first to report on the duplicate payments.
- The Island Park Sustainable Fire Community, a nonprofit in eastern Idaho, I haven’t been paid for months The nonprofit said it began receiving payments for work the group completed and invoiced through a state grant after raising the issue with state lawmakers and reporters.
- During the first three months of the fiscal year that began in July, Idaho officials Unable to generate official comparative earnings reports It is used by legislators and the public to track revenue collections against budget projections and historical revenue levels.
In February, House Speaker Mike Moyle, R-S.C., and a bipartisan group of eight senators Asked The Office of Performance Evaluation, an independent, nonpartisan state oversight agency, will evaluate Luma and report back to the Idaho Legislature.
All staff at the Performance Evaluation Bureau are working on the Ruma report, which the bureau plans to present to Parliament in October, director Rakesh Mohan said. The ruling was conveyed to the Legislative Council on Monday.
Idaho Capital Sun reporter Clark Corbin contributed to this story.
