By Staff Reporter |

The state’s audit of Maricopa County’s annual financial report found significant reporting weaknesses. 

The review raised concerns over the state of the county’s IT security systems and data maintenance. Some of these recommendations aren’t new — some were areas the auditor general had recommended in the last two fiscal years.

The auditor general’s office issued their audit on last week which addressed the county report for the 2025 fiscal year released in December. 

Their review found that the county had significant deficiencies in internal control, characterized as less severe than material weaknesses, which would justify the reasonable possibility that a material misstatement of basic financial statements wouldn’t be prevented or detected and corrected on a timely basis. 

The report focused on two financial statement findings that may have the potential to harm county operations, IT systems, and data.

Firstly, the auditor general found that the county’s administration and IT management had an inadequate process for identifying, classifying, and inventorying sensitive information requiring stronger access and security controls. This was found to be due to the county’s failure to fully integrate its new data classification policy across all applications and financial systems. 

The auditor general recommended a complete implementation of policies and procedures to manage IT systems and data risks, and an identification, classification, and inventory of information requiring stronger access and security controls.

Secondly, the auditor general found insufficient development, documentation, and implementation to IT systems and data risks. The county showed it had poor procedures incapable of preventing or detecting unauthorized or inappropriate IT systems and data access, along with ensuring securely maintained configuration settings. 

The county also lacked controls for its IT security policies and procedures intended to prevent unauthorized or inappropriate access or use, manipulation, damage or loss. Furthermore, the county’s contingency plan lacked key elements for operations restoration in the event of a disaster or system interruption. 

With this second set of problems, county administration and IT management attributed shortcomings to partial implementation and failure to fully implement established procedures concerning logical access restrictions, changes to policies and procedures managing configurations and changes, system activity monitoring for users with administrative access privileges, and the disaster recovery plan. 

The auditor general recommended the county monitor all employees’ adherence to access and contingency-planning IT policies and procedures, not to mention develop, document, and implement IT policies and procedures for configuration. With their suggested review, the auditor general recommended restricting access to IT systems and data, creating processes for proposed security impact changes, performing proactive key user and system activity logging and log monitoring, and testing a contingency plan. 

For both problems discovered, the auditor general’s office stressed creating internal controls that follow a credible industry source, suggesting the National Institute of Standards and Technology.

In its response to the audit, the county said, in brief, that it would address and implement the findings by June 30 of this year, about a month before the primary election is scheduled to occur. The county didn’t elaborate at length on its plans to remedy the two problems presented by the auditor general’s office.

AZ Free News is your #1 source for Arizona news and politics. You can send us news tips using this link.