Idaho’s new Luma business system missing data, security controls, audits find
Idaho’s new statewide business system lacked a range of information technology controls for data validation and security, according to a summary of audits provided to legislative leaders this week.
Luma is a massive system that centralizes all of the state’s business, budget, procurement, payroll, financial management and human resources systems for all state employees at all 86 state agencies.
In July 2023, state officials launched Luma, which is based in the Idaho State Controller’s Office.
“These issues ranged from operational inefficiencies to data inaccuracies, leading to disruptions in day-to-day processes and impacting overall productivity,” the audits found. “Despite initial expectations, the transition period proved to be more complex than anticipated.”
The audits highlighted a range of issues with Luma — some of which the Idaho Capital Sun has previously reported — including issues with interest allocation to state agencies, payment delays from the state and duplicated Medicaid payments.
Agencies encountered “a myriad of challenges” after Luma’s rollout, according to the root-cause analysis audit of ongoing business process issues with Luma, released online Tuesday afternoon, along with the information technology, or IT, audit.
The controller’s office describes Luma as the largest re-engineering of state business systems in Idaho’s history. State officials have said Luma replaced what officials called outdated and vulnerable systems.
“The State Controller’s Office has relied on a reactive approach to break fixes. Their efforts to remediate issues are largely driven by individual issues that are identified and reported from end users, rather than proactively identifying gaps and addressing issues more holistically,” Legislative Services Office’s audit division manager April Renfro said at a Legislative Council meeting on Monday in the Idaho State Capitol Building in Boise.
This month, Idaho received two audits into Luma from global accounting firm Baker Tilly.
Renfro said she believed the Idaho State Controller’s Office will submit corrective action plans following the audits.
The Idaho State Controller’s Office could not be immediately reached for comment.
Audit had ‘unsatisfactory conclusion,’ finds 60% failure for data and security controls
In her presentation to legislative leaders, Renfro said certain information would be discussed with lawmakers in an executive session closed to the public.
The IT audit had an “unsatisfactory conclusion,” finding 59% failure rate across 101 Luma controls it analyzed, Renfro said. Auditors identified two main areas of risk, according to the report: 23 deficiencies related to a lack of data validation, and 37 deficiencies related to an informally managed security and privacy program.
But the severity of those findings vary, she said, since some are about having policies or procedures, while other controls are more significant and related to data validation procedures.
Security and privacy controls, she said, are largely informal and undefined. She said data validation controls by the Idaho State Controller’s Office are inconsistently documented and configured.
“While critical security configurations and infrastructure have been implemented and managed effectively by the State Controller’s Office, (the agency) acknowledges the need for stronger governance controls, such as design of documentation, updated policies and procedures, and performance of key security and privacy processes,” Renfro said.
After Renfro’s presentation, Sen. Scott Grow, R-Eagle, asked her about the risk of publicly discussing the audits findings.
“How public is this summary? … It seems like where it recognizes those areas of deficiency, it almost gives the roadmap for somebody to come and try to attack the system,” asked Grow, co-chair of the Legislature’s Joint Finance-Appropriations Committee.
While it seems like it gives a roadmap, Renfro replied, “it doesn’t give a roadmap to the level that I think people will be able to do that.”
The Legislative Council privately deliberated for about an hour Monday in executive session “to discuss statewide security and related information.”
What we already knew about Luma’s issues
Luma replaces a patchwork series of legacy business systems that dated to 1987 and 1988 that Idaho State Controller’s Office officials have said outlived their useful life, and were vulnerable to security threats and natural disasters that could take a physical data center offline.
The Idaho Legislature authorized the creation of Luma in 2018 through House Bill 493, estimating the new system would cost $102 million over five years.
Since last fall, Idaho Capital Sun has reported on a number of challenges, procedural errors and data errors that hampered Luma’s launch, including:
• Idaho’s inability to distribute more than $100 million in interest payments to state agencies. That was among Luma-related issues that Idaho State Treasurer Julie Ellsworth disclosed to the Sun in February. Idaho State Controller Brandon Woolf said his goal was to resolve the payment issue that month. In a presentation to JFAC that month, he stressed Luma is operational, but has yet to be optimized.
• When the state went live with Luma in July, fewer than 50% of the state’s employees had completed basic level training on Luma.
• In November, the state double paid more than $32 million in Idaho Department of Health and Welfare payments after more than 3,000 transactions from Nov. 27 were duplicated. The Idaho Freedom Foundation first reported on the duplicated payments.
• An eastern Idaho nonprofit called Island Park Sustainable Fire Community said it was not paid for months for work the organization completed and invoiced through state grants. Officials with the nonprofit organization said they began receiving payments after they complained to state legislators and news reporters about the problem.
• For the first three months of the fiscal year, which began in July, Idaho state officials were unable to generate the official comparative revenue reports that legislators and the public use to track revenue collections against budget projections and historic revenue levels.
In February, House Speaker Mike Moyle, R-Star, and a bipartisan group of eight legislators asked the Office of Performance Evaluations — an independent, nonpartisan state watchdog agency — to evaluate Luma and report to the Idaho Legislature.
All Office of Performance Evaluations staff are working on its Luma report, which the agency plans to submit to the Legislature in October, Director Rakesh Mohan told the Legislative Council on Monday.