LSA releases report on audit of IDPH, boards

IDPH LogoBy Bob Eschliman


Friday, the Legislative Service Agency released a special audit report of the Iowa Department of Public Health that found need for process changes in four semi-autonomous boards under IDPH’s authority.

The audit, conducted by the Auditor of State’s Office and reported to the LSA in January, focused on technology expenditures and employee reimbursements of the Iowa Board of Pharmacy, the Iowa Dental Board, the Iowa Board of Medicine, and the Iowa Board of Nursing. Most of the recommendations for change affect the Board of Pharmacy.

The report covers the period from July 1, 2011, to Aug. 31, 2014. Not all of the Auditor’s Office’s concerns are detailed in the LSA’s report to the General Assembly. It included recommendations regarding procurement and inventory control, as well as questionable expenses of which none exceed $250.

Much of the report, however, focused on the following issues:


Board of Pharmacy Purchases

The Auditor’s Office reviewed 40 employee reimbursements made by the Board of Pharmacy, totaling $42,553, for purchases of equipment, Internet and mobile broadband charges, office supplies, and postage during the period of July 1, 2011, through June 30, 2012. Specifically, the reimbursements covered:

  • 24 iPad tablet computers,
  • 12 printers,
  • 5 scanners,
  • a MacBook Pro laptop computer,
  • a Dell laptop computer,
  • an iMac desktop computer,
  • a Hewlett-Packard desktop computer,
  • 3 Garmin GPS navigators,
  • 2 pairs of Bose noise-cancelling headphones,
  • 2 sets of Bose wireless speakers,
  • a Kindle Fire tablet computer,
  • a Flip video camera,
  • Microsoft Office for Mac software,
  • an Apple TV, and
  • various accessories for the above products, including cases, adapters, ink cartridges, and external batteries.

As a result of making these purchases via employee reimbursement, the Board of Pharmacy paid sales tax – for which it is otherwise exempt – of $412. The Auditor’s Office recommended that future equipment and office supplies be purchased with a state-issued procurement card, or through the standard expenditure process, not through employee travel payments.

In response, the Pharmacy Board said it had hired new staff in 2011, and functioned without an IT specialist prior to August 2011. Once the board became aware of purchasing requirements in 2012, it changed its procedures.

However, in its final conclusion, the Auditor’s Office found the new equipment did not eliminate the need for the old technology.

“Responses on the written questionnaires indicated the new technology is not capable of performing all necessary functions,” the report stated. “Consequently, the old technology is still being used, as well. This makes the cost effectiveness of the purchases unclear.”


Board of Medicine Duplication

The Auditor’s Office reviewed multiple electronic devices assigned to Board of Pharmacy and Board of Medicine staff that are performing similar functions. The Board of Pharmacy director and all seven compliance officers confirmed they each have the following assigned to them:

  • a laptop computer,
  • an iPad tablet computer,
  • an iPhone,
  • a printer, and
  • a scanner.

The Auditor’s Office found other board employees had both a laptop computer and an iPad tablet computer. The employees said the iPads did not perform all the necessary functions for them to complete their daily job duties, which required them to each have laptop computers, as well.

The Board of Pharmacy pays all of the cost for data plans for the iPads, and all of the cost of home Internet service for the director and seven compliance officers. It also paid for mobile broadband fees for three of the eight, as well as the cost of iPhones and related data plans for 17 employees.

The reimbursement for data plans and mobile broadband services was not discontinued until January 2014.

The Board of Medicine maintains an inventory of eight iPads that are available for staff to reserve for research, presentations, or travel. No formal logs are maintained, however, to document their use, so the Auditor’s Office wasn’t able to determine how frequently they were used.

The Board of Medicine was also paying all of the home Internet costs for an employee.

The Auditor’s Office recommended the boards review equipment purchases and assignments to ensure the purchases meet the “test of public purpose” and that equipment is distributed to staff in a manner that maximizes efficiency while avoiding duplication of function. It also recommended the Board of Pharmacy review the proprietary costs paid for home Internet service and state-issued cell phone bills for the five compliance officers that reside in the Des Moines area to determine if it was reasonable to pay 100 percent of the cost.

In its response, the Board of Pharmacy said it did not have sufficient office space to accommodate the five compliance officers who reside in the Des Moines area. As field staff, they have always maintained home offices from which they work, and the board has always provided the equipment needed to perform their duties.

“The equipment needs of staff have changed as the Board of Pharmacy has moved to an ever-increasing digital work environment,” its reply stated. “The Board of Pharmacy staff utilize state-issued iPads and cell phones exclusively for work purposes. The board staff maintain their own separate, private cell phones for their personal use.”

In its final conclusion, the Auditor’s Office stated that the availability of home Internet service has become more commonplace, making the public purpose of reimbursing employees for home Internet “not clear.” During the review period, the Auditor’s Office noted, the board did not have technology in place to monitor device usage, making it impossible to determine if state-issued equipment was used exclusively for work purposes.

In its response, the Board of Medicine stated staff equipped with desktop and laptop computers and smartphones regularly work in and out of the office to perform their job responsibilities. It stated the multiple platforms and formats are used to maximize efficient use of the board’s limited resources to respond to “burgeoning and complex workloads.”

In its final conclusion, the Auditor’s Office stated the Board of Medicine must review purchases and assignments to ensure they meet the test of public purpose and avoid duplication of function. If the public purpose is not clear, it should be clearly stated and included on the supporting documentation for the purchase.


Telework Agreements

The Auditor’s Office noted the state assumes no responsibility for operating costs associated with an employee using his or her personal residence as an alternative work site. This includes home maintenance, insurance, utilities, telephone service, etc.

However, the Board of Pharmacy director and seven compliance officers, and two field staff for the Board of Medicine were reimbursed for home Internet service through travel payment reimbursements. Additionally, three Board of Pharmacy employees were being reimbursed for actual costs that exceeded the Department of Administrative Services’ $50 monthly maximum.

No telework agreements were in place for any of them. In its recommendation, the Auditor’s Office said telework agreements must be approved for all employees working from home and receiving reimbursement for home Internet service.

“The telework compensation should be added to the employees’ taxable wages and processed through the state’s centralized payroll process. In addition the Board of Pharmacy should ensure reimbursements are limited to the DAS maximum of $50 per month.

In its response, the Board of Pharmacy said it was operating off of IDPH directives dated November of 2011, and that after learning of DAS policy in 2013, telework agreements are in place for the compliance officers. They are now compensated through the centralized payroll process, and are limited to the $50 maximum per month. Compensation for home Internet for the Pharmacy Board director was discontinued in 2013.

The Board of Medicine said it was directed to reimburse home Internet through travel payment reimbursements by IDPH and DAS because the two employees were exempt from telework agreements. In January of 2014, the board was notified of a DAS policy change that meant its field staff members were required to have telework agreements, and that their Internet reimbursements were to be considered taxable wages.

“Based on a review of the correspondence provided by the IDPH in November 2011, the response only applied to those individuals that were not assigned to work from home on a full-time basis,” the Auditor’s Office’s final conclusion stated. “The compliance officers and field staff identified were working from home on a full-time basis. In addition, the DAS policy was officially issued on August 17, 2011, and was incorporated into the revised DAS-HRE Manual in January 2012. The policy specifically states Internet compensation is to be added to the employee’s taxable wages.”


Security Policies

The Auditor’s Office compared the security policies implemented by the IDPH and each of the four boards to the state’s laptop data protection security standards developed by DAS. The standard applies to all laptops, netbooks, and tablet computers, and among the requirements are:

  • the latest critical security patches must be installed within five business days of released, and laptops must be erased or disabled after 10 unsuccessful password attempts and lock after no more than 15 minutes of inactivity.
  • encryption must be used, and include pre-boot user authentication, unless a variance is approved by the Chief Information Security Office.
  • strong passwords must be used, which include at least eight characters, a mix of numbers and letters, and must include at least one “special character,” such as a punctuation mark(!,.?), ampersand (&), or a commercial at (@).

The Auditor’s Office found the Pharmacy Board was not in compliance with the requirements for security patches, password fails, and locking after prolonged inactivity. It was in the process, at the time of the audit, of implementing a program that would allow for compliance.

“We determined neither IDPH nor any of the four boards requested the appropriate variance for iPads prior to their purchase and assignment,” the Auditor’s Office report stated. “According to a representative of the Information Security Office, although a few iPads have been approved, they are considered insecure because the encryption is not sufficient to protect the data.”

The Auditor’s Office review found none of the passwords used by IDPH or any of the four boards met the “strong password” requirement. It also found that policies addressing iPads were created after the Auditor’s office began looking into the IDPH and four boards.

“Based on a review of the security policies provided, the Medicine policy addressing iPads, dated January 1, 2013, appears to have been created and/or approved after we began performing procedures,” it stated. “In addition, the iPad policies for the other three boards appeared to have been created and/or approved after we requested them. Written questionnaires were sent to the director of each of the four boards on February 5, 2013. The policy provided by Nursing did not have an effective date but was marked as revised in February 2013. The policy provided by Pharmacy did not have an effective or revision date; however, according to the director, the policy was approved on February 25, 2013. In addition, the effective date of the policy provided by Dental was March 11, 2013.”

The Auditor’s Office recommended the IDPH and four boards should ensure they are in compliance with state standards, and that policies regarding data security should be developed and implemented in a timely manner. It also recommended that policies be periodically reviewed to ensure they comply with any revisions made to state standards.

In response, each of the departments noted they were working to be in compliance with state standards. The Board of Medicine also noted it had been working on a set of technology and security policies beginning in June of 2012. The Dental Board said it had a variance for its one iPad and that after receiving notification from the Chief Information Security Office in February 2011, it has “ensured the mobile device security standard is met.”

The Auditor’s Office accepted most of the responses, but only acknowledged the response from the Dental Board. In its final conclusion, it stated the Dental Board was required to receive a second variance from the CISO, but didn’t, and that while iPads are included in the state’s data protection standards, they are incapable of meeting the standards.