FRANKFORT, KY – On Tuesday, February 9, 2021 Auditor Mike Harmon's office released the first volume of the Statewide Single Audit of Kentucky (SSWAK) for Fiscal Year 2020. The SSWAK contains 25 findings, half of them dealing with problems identified within the Office of Unemployment Insurance (OUI) and the Unemployment Insurance (UI) fund.
"When we issued a qualified opinion on the UI fund as part of the Comprehensive Annual Financial Report, or CAFR, audit in December 2020, it was based on the fact the Commonwealth did not know how much money is still owed to Kentuckians who filed for unemployment benefits and the numerous internal control issues within OUI," said Auditor Harmon. "The SSWAK report details those and other issues within our unemployment insurance system, which should be deeply concerning to taxpayers and those who have filed for UI benefits."
The onset of the COVID-19 pandemic presented many challenges for state government, and particularly for OUI, as business closures led to thousands of Kentuckians becoming unemployed. For example, there were 49,023 new unemployment claims filed during the week ending March 21, 2020 and an additional 113,149 new claims filed during the week ending March 28, 2020. Also, three significant new unemployment insurance programs were created via the federal Coronavirus Aid, Relief and Economic Security Act (CARES): Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment Compensation (PEUC) and Federal Pandemic Unemployment Compensation (FPUC).
Among the issues auditors identified within OUI and the UI fund are:
- Due to the volume of claims and new federal programs related to the COVID-19 pandemic, OUI leadership made decisions that violated federal law and sacrificed program integrity in an attempt to more quickly get payments to unemployed individuals. One of these changes, referred to as "Auto-Pay," allowed UI benefits to be automatically paid without requiring claimants to report the weekly wage information needed to determine whether they were actually eligible for benefits. Seasoned OUI and Commonwealth Office of Technology (COT) staff expressed concerns about implementing Auto-Pay, but it was implemented in spite of those concerns. Auto-Pay was in effect two weeks for traditional UI and eight weeks for PUA, and it contributed to causing many of the issues identified in the auditor's findings.
- Although OUI officials made high-risk decisions in an attempt to pay benefits more quickly, many claims still were not timely processed. As of October 29, 2020, the claims backlog of unprocessed, initial jobless claims totaled approximately 80,000. Additionally, OUI had archived more than 400,000 emails the office received through its UI assistance email account that remained unread as of November 9, 2020. These emails from claimants could include indications or problems for OUI to address, not to mention general questions from unemployed Kentuckians. This issue is described in Finding 2020-003 in the SSWAK report, which also highlights how OUI made management decisions that directly conflicted with federal law. In fact, a security breach involving user confidentiality earlier in the year was only discovered because of an email from a claimant, which is referenced in Finding 2020-023 of the audit.
- The external pressure of the pandemic incentivized OUI management to override important system controls. Due to the lack of controls over payments during the Auto-Pay period, auditors could not precisely estimate total overpayments or underpayments. While Auto-Pay was in effect, $17.8 million was paid in traditional UI benefits, $129.9 million was paid in PUA benefits, and $507.7 million was paid in FPUC benefits. While not all of these payments were improper, they were paid in a control environment highly conducive to improper or even fraudulent payments.
- Serving as a good illustration of the problems created by Auto-Pay, auditors selected a sample of 37 state employees who filed for and received UI benefits, and discovered 16 state employees were paid unemployment benefits for the loss of part-time jobs despite still being employed by the state. Claimants are required to report any earnings during the week for which they are claiming benefits, and their full-time state wages would have made these employees ineligible for benefits. However, the adoption of the "Auto-Pay" policy eliminated the system control that asked claimants to report their weekly earnings, and so the system did not take into account wages from their full-time state employment. The net overpayment in this sample was more than $116,000. Furthermore, seven of the employees did not report wages earned from full-time employment even when the Auto-Pay period had ended despite having the ability to do so.
- OUI did not develop a reasonable and reliable estimate of unpaid claims for the accounts payable balance of the UI fund. Initially, OUI was unaware of the need to produce an estimate. After auditors inquired, in October 2020, OUI estimated there were more than $731.8 million in yet-to-be paid claims. However, OUI only had limited documentation to support their estimate. Auditors then determined that OUI's estimate did not include the FPUC portion of UI claims, which increased the estimated amount owed in claims to $2.08 billion. After making OUI aware, auditors then received a third estimated amount of $144.5 million. Auditors then asked additional questions related to areas that didn't have supporting documentation, such as the percentage of claim weeks likely to be paid, which resulted in the estimate of unpaid claims being lowered to $88.9 million. This issue in addition to the internal control issues noted within OUI led to the qualified opinion on both the unemployment compensation fund and the business-type activities for the Fiscal Year 2020 CAFR.
- OUI had multiple issues related to information security and data processing. The UI system contains the private, personal taxpayer information for every employed Kentuckian, and the audit revealed that federally mandated and state required monthly system security checks were not performed. In addition, the UI mainframe performed job batch and production schedules that were undocumented and for which no one at UI or COT could provide an explanation, the system maintained "active" user interfaces that could not be explained and which were not used, basic security protocols such as employee vetting and required password resets were lax, and the system allowed and experienced manual changes to claimant files through direct mainframe access. All of this occurred in an agency operational environment where ongoing updates and software changes were pushed through with improper and missing documentation, lack of testing, and implementation in contravention of the agency's own policies.
- OUI failed to inform the Auditor of Public Accounts, along with other state agencies, of three data breaches that occurred in April and May 2020. State law requires agencies to notify APA and others within 72 hours of the occurrence. On April 23 and 24, 2020 a data breach was reported by a UI claimant who reported they had viewed other claimant's uploaded documents including Social Security cards, driver's licenses and birth certificates. OUI did not notify APA and others until after the media learned of the breach, at least a month after it occurred. And on May 6, 2020 after OUI claimed a security patch had permanently resolved the issue, a similar data breach occurred again. APA was not notified about the breach until two months after it happened.
"The majority of the findings involving OUI come back to one common issue, which is the decision to remove controls that provided better oversight on verification and payment of UI benefits," said Auditor Harmon. "It breaks my heart to think of those Kentuckians included in the 400,000 unopened emails who so desperately wanted their voices heard and yet were ignored. The systemic failure of leadership on all levels not only violated federal law, but also let down many who needed relief. It also leaves others facing the prospect of repaying the government for miscalculated payments they received in good faith."
In addition to findings regarding OUI and the UI fund, Volume one of the SSWAK also contains findings and recommendations for issues auditors identified within other agencies including but not limited to the Kentucky Finance and Administration Cabinet, Commonwealth Office of Technology (COT), and the Kentucky Transportation Cabinet.
You can review the full SSWAK report, which includes responses from the various state agencies here. Volume two of the SSWAK, which deals with Kentucky's compliance with federal grant requirements, will be released in April.
###
The Auditor of Public Accounts ensures that public resources are protected, accurately valued, properly accounted for, and effectively employed to raise the quality of life of Kentuckians.
Call 1-800-KY-ALERT or visit our website to report suspected waste and abuse.
