The Public Employees Retirement Association (PERA) does not have a comprehensive security program that is capable of responding promptly to volatile technology risks. Of greatest concern, the retirement association had not devoted sufficient staff to perform important security duties. At the time of our audit, one information technology professional managed most aspects of the security infrastructure. No backup employees had been cross-trained to perform these critical security duties. Compounding this risk, PERA had not completed a formal information technology risk assessment or developed written security policies, procedures, and standards. Finally, the retirement association had very few monitoring controls to detect and promptly respond to potential security breaches.
These security program shortcomings allowed serious internal control weaknesses to go unchallenged:
Financial-Related Audit Reports address internal control weaknesses and noncompliance issues found during our audits of state departments and agencies. The scope of our work at the Public Employees Retirement Association was limited to a review of controls that protect the integrity of its mission critical business data.