close

Fayette County acting controller, commissioner allege breach of financial system

By Patty Yauger pyauger@heraldstandard.Com 6 min read
1 / 3

Zimmerlink

2 / 3

Vincent Zapotosky

3 / 3

Ambrosini

An alleged access breach of Fayette County’s accounting and information system has prompted Commissioner Angela M. Zimmerlink, on behalf of the acting controller, to further an investigation already under way by the controller’s office.

In unanimous action on Tuesday, the commissioners agreed to advance an item to next week’s meeting agenda that, if approved, would call for a risk analysis of the New World System and other measures to determine what actions need to take place to prevent future incidents.

According to recent correspondence that was shared with Zimmerlink, Sam Lynch, Susquehanna Group Advisors Inc. senior consultant and the county’s financial accountant, was allowed additional access to the New World System, without the knowledge of the controller’s office or the full board of commissioners.

In the May 14 correspondence from then-Deputy Controller Jeanine Wrona to then-Controller Sean Lally, Wrona said that after meeting with commission Chairman Al Ambrosini, information technology director Kebin Holbert and Lynch, she was able to confirm that “the server for the New World System was entered through the back door by the (technology department director) without permission of the controller or his deputies” at the sole discretion of Ambrosini.

“This is how the controller security permissions were taken away and sole security permission for use within the New World System was granted to (the information technology department),” wrote Wrona. “This change was never discussed with the controller’s office and was done without controller’s consent.”

Since the correspondence, Lally has taken a position in Monroeville and Wrona named acting controller.

Zimmerlink said that she was notified on Friday of the matter and asked by Wrona to further the investigation.

“Once the controller was advised of the access breach, he immediately took action to return (Lynch’s) access to its previous level,” she said, adding that she had no knowledge of the breach until last week when approached by Wrona. “(Wrona) as now acting controller has continued to investigate and believes other measures should be taken.”

Zimmerlink said Lynch should have only modest access to the system as a county consultant.

“He (initially) had very limited access,” said Zimmerlink, adding that any county consultant would only have the ability to see information that was within their purview. “He was given full access.”

Zimmerlink said that it is not only her opinion, but that of the controller’s office, that Lynch should not have been allowed to have the ability to view employee records or other materials or information that was not tied to his duties as financial consultant.

“He should not have full access; he is a financial consultant,” she said. “We did not retain (Lynch) to do any (human resources) work.

“(His employment) was to provide technical assistance to the county accounting department and assist in the preparation of the budget,” added Zimmerlink.

Commissioners and other departments only have limited access to the system, said Zimmerlink. However, if additional information is needed, the controller’s office has the ability to enter the system and locate the data needed by a director or consultant that does not have that access.

“The controller’s office has the ability to take the necessary steps to provide that information while maintaining the integrity of the system, employment records and financial records,” said Zimmerlink.

Commissioner Vincent Zapotosky said that he, too, was recently apprised of the matter.

“These are just allegations,” he said. “No one has done anything pending review.”

Ambrosini maintained that he did not make an arbitrary decision that would allow Lynch unrestricted access to the system, but instead to have Holbert restore his access that was withdrawn by Wrona.

When the system was first installed, the controller’s office was given the responsibility of working with each of the departments to determine what access was needed by each office and the training of the county employees to use the related features of the system, said Ambrosini.

Over the past year, Wrona has had the sole responsibility for adding or changing the access capabilities.

Lynch’s duties include overseeing compliance with all accounting regulations and aiding commissioners and the chief clerk with preparing the budget.

“For some reason over this past year or so, (Lynch) has found from time to time that his permissions (to access New World System) had been denied,” said Ambrosini. “He would call and (Wrona) would restore them, but there was never any explanation as to what had happened.”

In recent months, Lynch, along with Chief Clerk Amy Revak and requisition clerk Jill Myers, have found that the denial of access was becoming more frequent.

“We need these people to be able to do their work,” said Ambrosini.

When he was unable to garner an explanation from Wrona as to what was causing the problem, he asked Holbert to enter the system and restore the access to Lynch, Revak and Myers.

Wrona was additionally asked to propose a procedure that would allow access to the system, with certain approvals.

Ambrosini said because he has yet to receive the requested procedure from the controller’s office, he asked Revak to poll other counties to determine what department oversees their respective financial management software system and learned that most allow the information technology department to control the access thresholds.

Six counties responded to the inquiry.

“Not one county uses the controller’s office to monitor the permissions, and any permission changes would go through the commissioners’ office,” he said of the results of the poll.

Ambrosini said that he has spoken to Zapotosky about making changes, that if implemented, would follow a similar plan, with the commission office signing off on access permission changes and the information technology department making the approved changes within the system.

“This is something that (Zapotosky) and I have agreed on, but have yet to discuss with the controller’s office,” he said. “It has not been implemented.”

The measures recommended by Wrona and presented by Zimmerlink, meanwhile, include discussion with staff; review of back-door computer access; execution of a memorandum of understanding between the county and the contracted financial consultant and the possibility for a computer risk analysis.

Zimmerlink said that she continues to have concerns that risks to the system remains and that department heads continue to take direction from only one commissioner when all officials should be informed of matters of concern.

“No county staff member should take the direction of one commissioner,” she said. “One commissioner does not rule; all three should be involved and the majority rule and that was not the case in this instance.”

CUSTOMER LOGIN

If you have an account and are registered for online access, sign in with your email address and password below.

NEW CUSTOMERS/UNREGISTERED ACCOUNTS

Never been a subscriber and want to subscribe, click the Subscribe button below.

Starting at $4.79/week.

Subscribe Today