Findings from a new two-year audit of the North Dakota Information Technology Department highlight two dozen undocumented electronic devices potentially containing private information, such as Social Security numbers of state residents.
State Auditor Josh Gallion released the audit report Monday. It noted four laptops, 10 servers, three tablets and seven desktop computers worth about $92,000 among 217 "unlocated" pieces of office, network and computer equipment in the department's 2018 annual inventory. Those 24 devices could have "sensitive information," the report said.
Auditor's spokeswoman Brianna Ludwig said "sensitive information" includes home addresses, phone numbers, Social Security numbers, and user IDs and passwords for state employees and residents.
She confirmed no such information was used or penetrated from the outside, but the audit indicated it posed a security risk. Information Technology attributes the undocumented devices to clerical errors or missed paperwork when the devices were transferred from the department's inventory to the state's surplus property.
Gallion said in a statement that "to safeguard assets, a thorough asset inventory management process is necessary and required by (the Office of Management and Budget). It’s concerning that we have assets out there which could have sensitive information on them and ITD could not find them."
It's unclear if any undocumented devices are missing. Ludwig said Gallion had no additional comments. Chief Information Officer Shawn Riley in an emailed statement described the questioned inventory as "unfound assets."
Information Technology also said some devices can be electronically "pinged" for inventory and some of the undocumented items are presumed to be in place but are counted as "not found" until physically inspected, such as in a public library's wiring closet.
Riley also said the department has added several controls to its inventory procedures, including a tracking system for reducing the manual record keeping errors "that were the root cause of most of the 2018 inventory exceptions."
Information Technology also has implemented a security team process to ascertain if "unfound" devices have sensitive information and added steps to the inventory process to document the search for such devices, according to its statement.