A recent report issued by Virginia’s Auditor of Public Accounts assessed, among other things, controls over state agencies’ compliance in administering federal grant money and financial reporting.
More than a dozen findings involved issues with how the grants were being handled at the departments of: Aging and Rehabilitative Services; Behavioral Health and Developmental Services; Education; Energy; Social Services; and Wildlife Resources.
The report determined that DSS, for instance, had issues monitoring subrecipients of Medicaid grant funding, resulting in agency leaders not receiving quarterly updates on the program’s implementation. The report indicated DSS hired “a director to lead Compliance” and aims to complete “corrective actions” by the end of the current fiscal year.
Apart from financial controls, a number of the audit’s findings were connected to digital systems security issues across more than a dozen state agencies, public universities and their affiliated hospitals. About one-quarter of those "relate to managing or removing access to significant systems" — or removing an employee’s access after they either leave their position or are terminated.
Milos Manic, the director of Virginia Commonwealth University’s Cybersecurity Center, called the IT issues “huge.”
“Those that know — that are inside — actually know the weak point and that's actually way more (of) an issue than … external actors,” Manic said, discussing the report. “It is a big issue, even if it's a small percentage — the risk is so high because they actually know the system really well.”
A spokesperson for the Virginia Information Technologies Agency pointed to Virginia code specifying duties of the state’s chief information officer related to securing information. The language stipulates that the CIO will provide guidance to state agencies in order for their leadership to determine and implement appropriate security measures.
The audit also dinged VITA for not completing systems assessments for five state agencies “that were past the three-year audit requirement.”
Michael Watson, VITA’s chief information security officer, declined to comment on the report as a whole, but said in a statement that “Virginia takes cyber seriously. We are grateful for audits like these because if gaps are identified, they can be addressed.”
This year’s report indicated that the state’s Human Resource Management, Planning and Budget, and Behavioral Health & Developmental Services departments resolved IT issues first identified in 2023.