© 2024 Louisville Public Media

Public Files:
89.3 WFPL · 90.5 WUOL-FM · 91.9 WFPK

For assistance accessing our public files, please contact info@lpm.org or call 502-814-6500
89.3 WFPL News | 90.5 WUOL Classical 91.9 WFPK Music | KyCIR Investigations
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations
Stream: News Music Classical

Internal Audit Finds Issues With Louisville Metro Cell Device Program

Louisville City Hall
J. Tyler Franklin
Louisville City Hall

Louisville Metro government lacks sufficient policies and oversight for the proper management of employee cell phone usage, according to a recent reportfrom the Office of Internal Audit.

Findings from the audit show city officials need to improve the operational and fiscal administration of cell device usage among city employees.

The city's internal auditor reviewed cell phone activity from April 30, 2015 to May 1, 2016 in the report made public earlier this month. During that time, Louisville Metro spent some $528,000 on about 900 cell devices.

The audit found procedures that can lead to unnecessary costs, inadequate processes for protecting against a data breach and insufficient systems for collecting and tracking cell devices from terminated employees.

The Office of Internal Audit regularly conducts independent, objective reviews of all city departments, offices, boards and agencies. Following a review, the office submits recommendations to Mayor Greg Fischer, the Louisville Metro Council and agency directors.

The review of city cell device usage is the first audit report publishedin 2017, according to the office's website.

Included in the report is a letter from May R. Porter, chief audit executive, in which she notes the scope of the audit included "interviews of key personnel and examination of supporting documentation."

"The examination would not identify all weaknesses because it was based on selective review of data," she also noted.

Lack of Oversight

Cell phones are assigned to Louisville Metro government employees in a number of city departments, including Codes and Regulations, Public Works and the Louisville Zoo, among others.

Despite the vast disbursement of cell devices across city departments, there's no policy guiding the provisioning and deprovisioning of cell devices, auditors found. Such a policy is necessary, the report states, to monitor the use and potential for abuse of the city's cell device program.

In some instances, upon an employee's termination their cell device remained active and in service for up to seven months, auditors found. What's more, the city lacks a uniform process for collecting and tracking cell devices of terminated employees or decommissioned cell devices.

"Some departments hold them for possible future use; some departments return them to (the Department of Information Technology), and some departments are not aware of the disposition of the devices assigned to departmental employees," auditors noted.

This lack of oversight "increases the risk of a data breach as many cellular devices contain sensitive information," auditors reported.

Additionally, auditors were unable to determine if proper policies are followed regarding the wiping of data on cell devices to "prevent unauthorized access to confidential information."

In every instance examined by auditors, there was "insufficient documentation" to prove such a wipe had occurred, despite requirements to do so, the audit shows. By not tracking such actions, the city may be forced to purchase unnecessary application licenses that allow emails to be synced with phones and desktop computers, auditors found.

In other instances, proper documentation "could not be located" to ensure cell device purchases were properly authorized, auditors found.

And in other cases, auditors could not locate documents showing cell device users acknowledged policies meant to guide the use of city data and resources on personal cell devices. This made it unclear to auditors if the users had "agreed to comply with the applicable policies."

Key Recommendations

The Department of Information Technology agreed to comply with many of the nine recommendations from auditors to remedy issues uncovered in the review.

Among those recommendations is the request to develop policies and procedures to guide the provisioning and deprovisioning of cell devices.

"It is a best practice to develop and maintain policies and procedures to monitor for duplicate devices, abuse of the replacement policy and usage by terminated employees and/or unauthorized users," the report notes.

Porter, the chief auditor, declined to offer further comment on the findings.

A spokesman for Mayor Fischer's office did not return a request for comment.

David Yates, president of the Metro Council, also did not return a request for comment, nor did a spokesman for the council's minority Republican caucus.

Jacob Ryan is the managing editor of the Kentucky Center for Investigative reporting. He's an award-winning investigative reporter who joined LPM in 2014. Email Jacob at jryan@lpm.org.