Louisville Metro government lacks sufficient policies and oversight for the proper management of employee cell phone usage, according to a recent report from the Office of Internal Audit.

Findings from the audit show city officials need to improve the operational and fiscal administration of cell device usage among city employees.

The city’s internal auditor reviewed cell phone activity from April 30, 2015 to May 1, 2016 in the report made public earlier this month. During that time, Louisville Metro spent some $528,000 on about 900 cell devices.

The audit found procedures that can lead to unnecessary costs, inadequate processes for protecting against a data breach and insufficient systems for collecting and tracking cell devices from terminated employees.

The Office of Internal Audit regularly conducts independent, objective reviews of all city departments, offices, boards and agencies. Following a review, the office submits recommendations to Mayor Greg Fischer, the Louisville Metro Council and agency directors.

The review of city cell device usage is the first audit report published in 2017, according to the office’s website.

Included in the report is a letter from May R. Porter, chief audit executive, in which she notes the scope of the audit included “interviews of key personnel and examination of supporting documentation.”

“The examination would not identify all weaknesses because it was based on selective review of data,” she also noted.

Lack of Oversight

Cell phones are assigned to Louisville Metro government employees in a number of city departments, including Codes and Regulations, Public Works and the Louisville Zoo, among others.

Despite the vast disbursement of cell devices across city departments, there’s no policy guiding the provisioning and deprovisioning of cell devices, auditors found. Such a policy is necessary, the report states, to monitor the use and potential for abuse of the city’s cell device program.

In some instances, upon an employee’s termination their cell device remained active and in service for up to seven months, auditors found. What’s more, the city lacks a uniform process for collecting and tracking cell devices of terminated employees or decommissioned cell devices.

“Some departments hold them for possible future use; some departments return them to (the Department of Information Technology), and some departments are not aware of the disposition of the devices assigned to departmental employees,” auditors noted.

This lack of oversight “increases the risk of a data breach as many cellular devices contain sensitive information,” auditors reported.

Additionally, auditors were unable to determine if proper policies are followed regarding the wiping of data on cell devices to “prevent unauthorized access to confidential information.”

In every instance examined by auditors, there was “insufficient documentation” to prove such a wipe had occurred, despite requirements to do so, the audit shows. By not tracking such actions, the city may be forced to purchase unnecessary application licenses that allow emails to be synced with phones and desktop computers, auditors found.

In other instances, proper documentation “could not be located” to ensure cell device purchases were properly authorized, auditors found.

And in other cases, auditors could not locate documents showing cell device users acknowledged policies meant to guide the use of city data and resources on personal cell devices. This made it unclear to auditors if the users had “agreed to comply with the applicable policies.”

Key Recommendations

The Department of Information Technology agreed to comply with many of the nine recommendations from auditors to remedy issues uncovered in the review.

Among those recommendations is the request to develop policies and procedures to guide the provisioning and deprovisioning of cell devices.

“It is a best practice to develop and maintain policies and procedures to monitor for duplicate devices, abuse of the replacement policy and usage by terminated employees and/or unauthorized users,” the report notes.

Porter, the chief auditor, declined to offer further comment on the findings.

A spokesman for Mayor Fischer’s office did not return a request for comment.

David Yates, president of the Metro Council, also did not return a request for comment, nor did a spokesman for the council’s minority Republican caucus.

Jacob Ryan is a reporter for the Kentucky Center for Investigative Reporting.