LANSING, Mich. — A state audit of the Michigan Unemployment Insurance Agency (UIA) found it did not always protect federal tax information.
The audit was conducted by the state's Office of the Auditor General between October 2019 and September 2021.
It details six findings regarding security practices which protect personal information.
The findings surround two systems, including the Michigan Integrated Data Automated System (MiDAS), which collects unemployment taxes and pays them out to claimants, as well as the Michigan Web Account Manager (MiWAM), where people can file their unemployment claims.
The audit sampled users out of 330 individuals who have the ability, at least, to view federal tax information.
In that, findings stated required background checks were not performed for 80% of the 45 sampled individuals.
Internal Revenue Safeguard Training was not completed for 60% of the same sampled population.
For 61 sampled users who had transferred or left state employment, the UIA did not disable user accounts in a timely manner. 69% of sampled users still had MiDAS application access and 67% of users could facilitate remote logins.
In addition, for 60 sampled users, the UIA did not have complete documentation to support access granted for 25%.
12% of 25 sampled individuals with MiDAS access did not complete security awareness training, according to audit findings.
The audit also listed that improved compliance with the Center for Internet Security (CIS) Benchmarks is needed. At least 14 of 42 new or updated CIS benchmark recommendations should be implemented in the State's environment.
Findings also detailed the UIA did not properly document the authorization to initiate 39% of system changes sampled, and did not maintain documents of post-implementation testing for 24% of changes sampled.
In response to the findings, the UIA's Director Julia Dale released this statement:
“The Michigan Unemployment Insurance Agency has made significant operational changes over the past six months to enhance responsiveness and problem-solving. After more than a decade of disinvestment in UIA, there is still more work to do. UIA is taking decisive steps to bolster our security practices that protect personal information about claimants and businesses. We have instituted a criminal history check and fingerprinting policy for all employees who have access to confidential information. We are more effectively tracking required training for staff, and also timely removing user privileges when a staff member leaves their job. With these changes, UIA has in place robust policies and practices that we are confident we will begin to restore the public’s confidence in our agency.”
The UIA also has seven actions in progress:
- In April, UIA issued the Criminal History Check and Fingerprinting Policy which requires criminal history checks on all users who have access to confidential information in UIA’s possession.
- All users who have access to federal tax information will undergo IRS safeguard training.
- Internal Controls Division has hired an analyst to track all individuals who have access to view FTI and will document training course completion dates and will compare on a weekly basis training logs and access logs.
- The Internal Controls analyst will begin monitoring logs and auditing system records weekly.
- UIA is formalizing the quality control process requiring management to timely terminate MiDAS, State of Michigan network and other access. In addition, the Internal Controls Division will audit weekly the timely removal of MiDAS user access rights.
- MiDAS user access rights will be granted on individual basis based on their specific job requirements and the principle of least privilege will be followed.
- UIA is developing a change management procedure that will require and maintain documentation of approval for business changes. Documentation will be maintained for all post-implementation documentation.
According to the Michigan Office of the Auditor General's website, two other performance audits are in progress on the Michigan UIA involving fraud and investigation activities and claims processing.
