Missouri State Auditor Nicole Galloway released two reports Tuesday reviewing the Crime Victims' Compensation system.
In the reports, Galloway's office looked separately at the system's data security and data analytics.
Upon completion of the audits, which reviewed the computer system that manages payments to crime victims, the office made recommendations to improve the system's operations and data security.
The Missouri Crime Victims' Compensation (CVC) program was created to financially assist victims - who have suffered bodily or psychological injuries - to pay for reasonable medical, counseling or funeral expenses, and lost wages because of a crime.
The CVC program is a payer of last resort for financial losses not covered by other sources, such as insurance, workers' compensation or restitution from the offender, according to the report.
It paid out about $15 million from 2016 (when the current computer system went into effect) to 2018.
Galloway said in a news release Tuesday that the state should take every precaution to assure the system operates efficiently and to protect victims' personal information to prevent them from being re-victimized.
It provides recommendations to improve services for victims.
"The data security report found lack of planning in data management could result in system vulnerabilities and recommended the department document and establish formal policies and procedures, a security plan, and a security and privacy awareness training program (for staff)," the release stated. "The audit also made recommendations to ensure user access is appropriate and that users are not able to access the system from multiple locations at the same time."
Victims may file a claim for payment from the CVC for up to two years after the date of the crime, according to the reports. While some benefit categories have lower limits than others, the program reimburses a maximum of $25,000 per claim for crime-related expenses.
It can provide up to:
$400 per week for lost wages,
$5,000 for funeral expenses,
$2,500 for counseling expenses,
$250 for personal property seized by law enforcement as evidence, and
Up to 15 percent of the total award for attorney's fees.
Funding for CVC comes primarily through a surcharge of $7.50 assessed as costs during criminal cases, according to the reports. The fee is collected and remitted to the Department of Revenue in all courts except municipal courts. The first $250,000 collected each fiscal year is deposited in the State Forensic Laboratory Fund. Next, funds are used for payments associated with costs of the Office for Victims of Crime and for the automated crime victim notification system. Remaining funds are deposited equally in the Crime Victims' Compensation Fund (CVCF) and the Services to Victims Fund (SVF).
Municipalities may retain 5 percent of surcharges assessed in municipal court cases. The remainder is deposited equally between the CVCF and SVF.
The report on data security concluded the program requires a data governance program to reduce risk that security and privacy controls will continue to operate as they are designed and to assure confidentiality, integrity and availability of program data are protected.
It recommended the Missouri Department of Public Safety, which operates the program, form an information technology steering committee to oversee system management and operation, document and review policies and procedures, document a formal security plan for the system, implement a risk assessment process, provide security and privacy training, document procedures for monitoring and maintaining data (in addition to establishing a record-locking control to prevent concurrent editing).
The DPS responded to each of the recommendations. It said it has maintained an informal committee regarding operation of the CVC system since 2016. DPS has already begun (this spring) revamping its policies and procedures manual. "System-specific policies and procedures are scheduled to be developed in conjunction with the security plan."
The DPS has directed a new information technology systems analyst and the Information Technology Services Division to create a security plan.
It has created a plan to formalize already existing risk assessment procedures.
The DPS will implement a training program that includes risk assessment, security and other appropriate subjects.
"In an audit of the system's operations, the review found ineffective automated controls related to claim amounts and dates. Since certain system data controls do not always work as intended, the department relies on individuals to review and correct errors. This increases the risk that inaccurate payments could be processed by the system," the news release stated.
The report recommended increased efficiency in providing funding to victims.
"An automated process could ensure a more effective and efficient review," according to the release.
In its reply, the DPS stated a review of claim data from the system did not identify any excessive claims or violations of payment hierarchy, demonstrating the efficiency of current claims processors. But, the CVC steering committee will address the recommendation for further controls.