FRANKFORT, Ky. (AP) — An audit says Kentucky’s unemployment insurance office had a massive backlog of unread emails as it struggled to process jobless claims.
State Auditor Mike Harmon says more than 400,000 emails archived by the office were unread as of last Nov. 9. He says those emails could reveal problems needing to be resolved and questions from unemployed Kentuckians.
Among the issues auditors identified within OUI and the UI fund are:
- Due to the volume of claims and new federal programs related to the COVID-19 pandemic, OUI leadership made decisions that violated federal law and sacrificed program integrity in an attempt to more quickly get payments to unemployed individuals. One of these changes, referred to as “Auto-Pay,” allowed UI benefits to be automatically paid without requiring claimants to report the weekly wage information needed to determine whether they were actually eligible for benefits. Seasoned OUI and Commonwealth Office of Technology (COT) staff expressed concerns about implementing Auto-Pay, but it was implemented in spite of those concerns. Auto-Pay was in effect two weeks for traditional UI and eight weeks for PUA, and it contributed to causing many of the issues identified in the auditor’s findings.
- Although OUI officials made high-risk decisions in an attempt to pay benefits more quickly, many claims still were not timely processed. As of October 29, 2020, the claims backlog of unprocessed, initial jobless claims totaled approximately 80,000. Additionally, OUI had archived more than 400,000 emails the office received through its UI assistance email account that remained unread as of November 9, 2020. These emails from claimants could include indications or problems for OUI to address, not to mention general questions from unemployed Kentuckians. This issue is described in Finding 2020-003 in the SSWAK report, which also highlights how OUI made management decisions that directly conflicted with federal law. In fact, a security breach involving user confidentiality earlier in the year was only discovered because of an email from a claimant, which is referenced in Finding 2020-023 of the audit.
- The external pressure of the pandemic incentivized OUI management to override important system controls. Due to the lack of controls over payments during the Auto-Pay period, auditors could not precisely estimate total overpayments or underpayments. While Auto-Pay was in effect, $17.8 million was paid in traditional UI benefits, $129.9 million was paid in PUA benefits, and $507.7 million was paid in FPUC benefits. While not all of these payments were improper, they were paid in a control environment highly conducive to improper or even fraudulent payments.
- Serving as a good illustration of the problems created by Auto-Pay, auditors selected a sample of 37 state employees who filed for and received UI benefits, and discovered 16 state employees were paid unemployment benefits for the loss of part-time jobs despite still being employed by the state. Claimants are required to report any earnings during the week for which they are claiming benefits, and their full-time state wages would have made these employees ineligible for benefits. However, the adoption of the “Auto-Pay” policy eliminated the system control that asked claimants to report their weekly earnings, and so the system did not take into account wages from their full-time state employment. The net overpayment in this sample was more than $116,000. Furthermore, seven of the employees did not report wages earned from full-time employment even when the Auto-Pay period had ended despite having the ability to do so.
- OUI did not develop a reasonable and reliable estimate of unpaid claims for the accounts payable balance of the UI fund. Initially, OUI was unaware of the need to produce an estimate. After auditors inquired, in October 2020, OUI estimated there were more than $731.8 million in yet-to-be paid claims. However, OUI only had limited documentation to support their estimate. Auditors then determined that OUI’s estimate did not include the FPUC portion of UI claims, which increased the estimated amount owed in claims to $2.08 billion. After making OUI aware, auditors then received a third estimated amount of $144.5 million. Auditors then asked additional questions related to areas that didn’t have supporting documentation, such as the percentage of claim weeks likely to be paid, which resulted in the estimate of unpaid claims being lowered to $88.9 million. This issue in addition to the internal control issues noted within OUI led to the qualified opinion on both the unemployment compensation fund and the business-type activities for the Fiscal Year 2020 CAFR.
- OUI had multiple issues related to information security and data processing. The UI system contains the private, personal taxpayer information for every employed Kentuckian, and the audit revealed that federally mandated and state required monthly system security checks were not performed. In addition, the UI mainframe performed job batch and production schedules that were undocumented and for which no one at UI or COT could provide an explanation, the system maintained “active” user interfaces that could not be explained and which were not used, basic security protocols such as employee vetting and required password resets were lax, and the system allowed and experienced manual changes to claimant files through direct mainframe access. All of this occurred in an agency operational environment where ongoing updates and software changes were pushed through with improper and missing documentation, lack of testing, and implementation in contravention of the agency’s own policies.
- OUI failed to inform the Auditor of Public Accounts, along with other state agencies, of three data breaches that occurred in April and May 2020. State law requires agencies to notify APA and others within 72 hours of the occurrence. On April 23 and 24, 2020 a data breach was reported by a UI claimant who reported they had viewed other claimant’s uploaded documents including Social Security cards, driver’s licenses and birth certificates. OUI did not notify APA and others until after the media learned of the breach, at least a month after it occurred. And on May 6, 2020 after OUI claimed a security patch had permanently resolved the issue, a similar data breach occurred again. APA was not notified about the breach until two months after it happened.
Harmon released the audit Tuesday. Kentucky, like other states, was hit by massive numbers of claims for jobless assistance brought on by the coronavirus. Gov. Andy Beshear has noted that the state’s unemployment system endured years of budget cuts before he became governor.