Auditor Harmon’s report details how the lack of controls, which allows any person with access to the Automated Vehicle Information System, and Kentucky AVIS to alter social security numbers.
File Photo
(Frankfort, Ky,) - The Commonwealth has failed to address an issue for the past seven years with Kentucky’s Motor Vehicle Registration System that, in past instances, led to fraud and criminal charges. That is one issue identified in Auditor Mike Harmon’s report on the Motor Vehicle and Motorboat Registration System (MVR) for Calendar Year 2019.
Auditor Harmon’s report details how the lack of controls, which allows any person with access to the Automated Vehicle Information System (AVIS), and Kentucky AVIS (KAVIS) to alter social security numbers, has not been addressed by the Kentucky Transportation Cabinet’s Division of Motor Vehicle Licensing since it was first identified in 2013.
“The Office of the Auditor of Public Accounts, along with other state agencies, have discovered past instances where individuals have altered social security numbers and allowed tax payments to be avoided. In some cases, such as prior audits in Edmonson and Madison counties these findings have resulted in criminal charges. We are also referring issues we discovered in this year’s audit in Jessamine County to the Office of the Attorney General,” Auditor Harmon said. “This problem with AVIS has existed under multiple administrations. It is essential that checks and balances be put in place, and the Commonwealth conducts annual reviews of KAVIS to eliminate this gateway to future potential fraud.”
The finding is among five comments in the MVR audit:
The Kentucky Transportation Cabinet’s Division Of Motor Vehicle Licensing did not ensure procedures were in place to prevent or detect inappropriate changes of data in the Automated Vehicle Information System and the Kentucky Automated Vehicle Information System: The Kentucky Transportation Cabinet’s (KYTC) Division of Motor Vehicle Licensing (MVL) did not ensure adequate measures were in place to prevent an individual from altering a social security number (SSN) in the Automated Vehicle Information System (AVIS) and Kentucky AVIS (KAVIS) in order to avoid paying delinquent tax obligations. In addition, MVL does not conduct or oversee a periodic review of SSN changes in AVIS or KAVIS for appropriateness. This issue was originally identified in the calendar year (CY) 2013. Since no action has been taken by the agency to remediate this weakness, this finding has been upgraded to a significant deficiency.
Employees in county clerk offices are allowed to change the SSN associated with a vehicle for valid reasons, including divorces and changing from joint ownership to sole ownership. KYTC stated all county clerks are aware that an individual cannot sell, transfer, or renew a vehicle that has delinquent taxes and that changing a SSN to avoid paying property taxes is illegal. There was an instance of inappropriate changes to SSNs in Jessamine County during CY 2019.
There are no controls in AVIS at the point of data entry to restrict changes to SSNs. If a county clerk believes fraud has occurred, they may request the Department of Revenue (DOR) review transaction activity. DOR then requests a transaction activity report from the Commonwealth Office of Technology (COT) and reviews it for unusual activity. Any potentially inappropriate activity is provided to the Auditor of Public Accounts (APA) for further review. This process only occurs on request, and there is no periodic review for unreported unusual activity. MVL is not involved in this review.
There are more stringent controls in place in KAVIS, which is gradually replacing AVIS and is partially implemented. Vehicle registrations have not transitioned to KAVIS yet, but KYTC is developing necessary controls to prepare for this transition. When the taxpayer provides a driver’s license number, SSN, or Individual Taxpayer Identification Number (ITIN), KAVIS validates the individual’s information via KYTC’s driver’s license database. When individuals are verified this way, they are known as ‘DL Verified,’ and their information becomes unalterable by clerks. However, if a passport, visa, or green card number is entered instead, no verification occurs and clerks are able to alter the customer information. Any alterations are logged, including who made the change and the date and time. As with changes in AVIS, there is no periodic review of these KAVIS changes for appropriateness.
KYTC, DOR, COT, and the county clerk offices all have roles in the vehicle registration process. However, as owner of the data in AVIS and KAVIS, KYTC’s MVL did not ensure this data was correct and protected from unauthorized changes. Failure to ensure controls are in place at the point of data entry to prevent altering SSNs, and a lack of a periodic review process for changes that do occur, could result in violations of KRS 186.021(1).
KRS 186.021(1) states, “a county clerk shall not issue a replacement plate, decal, or registration certificate as provided in KRS 186.180, or registration for renewal to any person who on January 1 of any year owned a motor vehicle on which state, county, city, urban-county government, school, or special taxing district ad valorem taxes are delinquent.”
We recommend MVL:
- We recommend MVL communicate with County Clerks explaining the appropriate reasons for making changes to Social Security Numbers.
- Develop a process to periodically review SSN changes in AVIS until KAVIS is fully implemented. A process to periodically review changes to non-verified customers in KAVIS should also be developed and implemented as soon as any vehicle registrations begin processing in KAVIS.
- Appropriately restrict the users’ ability to change SSNs when KAVIS modules related to vehicle registrations are implemented.
Kentucky Transportation Cabinet’s Response: Since 2013, the Division of Motor Vehicle Licensing has undergone several leadership transitions. It seems that this issue and recommended resolution has gotten lost in the shuffle. However, under the current division leadership, this issue will be addressed and corrected timely and efficiently. MVL will begin the process of implementing all three recommendations promptly.
- MVL has created a monthly conference call with the KY County Clerks Association (KCCA), as well as monthly training opportunities with the KCCA and other periodic meetings. During these interactions, MVL will routinely stress the importance and legality of the defined reasons and process for legally and appropriately changing SSNs, and the consequences for doing so illegally/inappropriately. MVL will also alert the KCCA to the intended action outlined in bullet two below, as well as report periodically to the KCCA of the outcome of our periodic reviews and the action taken to correct violations. This will substantially increase accountability and will provide a mechanism for both correcting and justifying instances where a SSN is changed.
- MVL will be scheduling a series of necessary meetings with DOR and COT to discuss, and begin the process of creating and implementing, a process like what has been recommended. Upon development, MVL will schedule periodic reviews with DOR regarding any suspicious activity and will also follow up with any counties with reported activity to determine the validity of the SSN changes. MVL and DOR will work together to develop the process and outcome until KAVIS is able to provide this functionality.
- This is already underway in the programming phases of KAVIS.
The Kentucky Transportation Cabinet and the Commonwealth Office of Technology have not recovered the Kentucky Automated Vehicle Information System during disaster recovery testing: The calendar year 2019 audit revealed the Kentucky Transportation Cabinet’s (KYTC) Kentucky Automated Vehicle Information System (KAVIS) has never been recovered during disaster recovery testing. KYTC’s infrastructure is consolidated with the Commonwealth Office of Technology (COT). As such, responsibilities associated with disaster recovery are separated. KYTC is responsible for identifying critical systems to be included in disaster recovery testing and working with COT to remediate any issues that arise. COT is responsible for backing up, testing, and recovering KAVIS data in the event of a disaster. COT performs regular backups and has developed a formal disaster recovery plan (DRP). Recovery testing was attempted in February and October 2019. While KAVIS was scheduled to participate, the system could not be recovered during either test. KYTC is waiting for the next testing exercise offered by COT to attempt recovery again.
The goal of a disaster recovery plan is to improve preparedness for extended system outages at minimal cost using available resources. Disaster Recovery should be documented, approved, properly distributed, tested on a consistent basis, and updated as needed. Further, key staff assigned to perform these procedures should be trained on a periodic basis.
KYTC stated that KAVIS recovery was unsuccessful during the February 2019 disaster recovery testing and could not be tested during the October 2019 disaster recovery test. Failure to implement a complete disaster recovery plan increases the possibility of loss due to excessive recovery time, costs, and disruption of processing capabilities in the case of a disaster or extended system outage. Disasters can cause short or long-term disruptions in services and, specific to KRS, could cause the loss of critical employee and member data.
CIO-113: Contingency Planning Policy, which became effective July 16, 2019, “requires that IT systems and services acquisition adhere to, at a minimum, the moderate-level control standards outlined in the NIST 800-53 Revision 4 Contingency Planning (CP) control family, in accordance with CIO-091 Enterprise Information Security Program.”
According to KRS 42.726:
(1) The roles and duties of the Commonwealth Office Technology shall include but not be limited to:
(c) Developing strategies and policies to support and promote the effective application of information technology within state government as a means of saving money, increasing employee productivity, and improving state services to the public, including electronic public access to information of the Commonwealth;
(d) Developing, implementing, and managing strategic information technology directions, standards, and enterprise architecture, including implementing necessary management processes to assure full compliance with those directions, standards, and architecture. This specifically includes but is not limited to directions, standards, and architecture related to the privacy and confidentiality of data collected and stored by state agencies;
We recommend KYTC continue working with COT to ensure disaster recovery testing of KAVIS is conducted as soon as possible. All staff involved in the DRP processes should receive training to ensure they are aware of their assigned responsibilities.
Kentucky Transportation Cabinet’s Response: KAVIS participated in DR testing in the Spring of 2019. COT manages, monitors and maintains KYTC user computing, Enterprise services, servers, databases and network; therefore, KAVIS DR is dependent on COT support teams for disaster recovery and conducting testing with the agencies. COT is responsible for backing up, testing, and recovering KAVIS data in the event of a disaster. COT performs regular backups and has developed a formal disaster recovery plan (DRP). COT did not conduct lessons learned or provide follow-up from the testing effort necessary for updates to KAVIS DRP and the corrections/improvements to be applied during the next DR test.
The KAVIS team requested testing failing over the KAVIS system from the CDC to the ADC to further prepare for a potential disaster event using automated methods; however, COT advised automated methods were not available. COT further advised the KAVIS team that recovery must be done manually by COT support teams and an automated test is not feasible due to the COT supported network infrastructure.
COT is conducting a DR test of the mainframe applications and data, and the scope of the testing includes distributed systems reliant on those applications and data beginning 4/20. COT has undergone a change in DR services leadership and has advised improvements to the network infrastructure have been deployed over the past year. KYTC has provided COT DR leadership concerns from the prior years’ testing. KYTC is currently working with COT to ensure KAVIS has a Disaster Recovery Test/Failover Test; however, due to the previous issues and logistics of testing and executing a DRP, KYTC is participating in testing DR for ALTS and AVIS Mainframe applications of which distributed Motor Carrier systems are dependent. COT DR leadership advised there will be pre-testing meetings, COT teams configuring the parallel isolated environments, and perform lessons learned with the agencies. KYTC will monitor DR testing progress and evaluate the results from testing. Those lessons learned will be utilized for KAVIS DRP and DRP testing as soon as feasible based on COT’s DR schedule.
COT is responsible for providing DR and other technical training to their support teams. KAVIS systems and data are backed up daily and available for recovery for contingency and continuity. The KAVIS team members are skilled developers and system support. The DR testing exercise and the DRP reviews and updates provide the necessary training to prepare for a potential disaster event.
The Elliott County Clerk owes $122,392 in usage tax to the Department of Revenue: The Elliott County Clerk did not properly account for usage tax collections. For the calendar year 2019, the county clerk owes usage tax to the Department of Revenue (DOR) in the amount of $122,392. As of March 31, 2020, the usage tax account had a balance of $133,737. After remitting the required amount due, there is an unknown balance of $11,345 in the account. The county clerk did not properly deposit usage tax collections daily and transfer amounts to the state depository as required. Deposits to the usage tax account were random, grouped together, or not made at all. Usage tax was not transferred to DOR timely. Payments were up to thirteen months late or not made at all. Also, weekly usage tax reports were not properly maintained. The county clerk was missing weeks 1-11 and 29-31.
The county clerk did not have procedures in place to ensure the correct amount of usage tax was remitted from the fee account to the usage tax account daily and properly transferred to the state timely. In addition, the county clerk was not reconciling her usage tax account monthly. As a result of not properly remitting usage tax from the fee account to the usage tax account, the county clerk runs the risk of overpaying excess fees to the county and not having the funds to remit to DOR. The clerk also runs the risk of incurring penalties that are prohibited from being paid from the fee account. In addition, by not properly reconciling the usage tax account it was overdrawn three times during the year resulting in $59 in overdraft fees.
KRS 131.155(2)(c) requires the county clerk to deposit motor vehicle usage tax and sales and use tax collections in the clerk’s local depository account not later than the next business day following receipt. The clerk shall cause the funds to be electronically transferred from the clerk’s local depository account to the State Treasury in the manner and at the time prescribed by the department. According to KRS 138.464(4), “Failure to deposit or, if required, transfer collections as required above shall subject the clerk to a penalty of two and one-half percent (2.5%) of the amount not deposited or, if required, not transferred for each day until the collections are deposited or transferred as required above. The penalty for failure to deposit or transfer money collected shall not be less than fifty dollars ($50) nor more than five hundred dollars ($500) per day.”
We recommend the county clerk remit the $122,392 in usage tax owed to DOR from the usage tax account. After remitting the amount due, the county clerk should investigate the remaining balance in the usage tax account and determine the disposition of the funds. In the future, the county clerk should ensure the correct amount of usage tax is deposited from the fee account to the usage tax account daily and transferred to the DOR timely. The easiest way to do this would be to perform monthly bank reconciliations of the usage tax account.
Elliott County Clerk’s Response: Restructuring duties and responsibilities among staff. Assigning a “usage deputy” to handle usage payments/ach-pay. Will correct and complete any usage discrepancies on or before 6-1-2020 have inquired about electronic transfer (for usage acct.) from Frankfort dept but don’t have an answer yet. Will follow recommendations from auditor.
The Elliott County Clerk owes ad valorem taxes to taxing districts in the amount of $106,115: The county clerk did not properly pay ad valorem taxes due to the taxing districts. Payments for motor vehicle ad valorem taxes were not made for the months of July and September, except for the county district and no payments were made for December. In addition, payments were not made for boat ad valorem taxes starting in July with the exception of the county district for July and September. The following chart depicts amounts due to districts:
Bartholomew County Man Arrested for Child Molesting
Indiana State Police Investigating Death of Inmate
Kentucky State Police Investigating Fatal Fire in Carroll County
