2018 by the numbers: 2,721 audits. 120 trainings. 16 fraud reports … and more

Report cover shows a trail leading to a government building.On the public’s behalf, the Office of the Washington State Auditor is on the trail of good government. Check out our 2018 Annual Report, and follow along with our 350 auditors as they track public dollars and discover opportunities for greater transparency. You’ll learn about our audit work, summaries of key fraud and whistleblower cases, insight into performance audits and more.

Read the Annual Report.


Local government cybersecurity performance audits provide tailored solutions

Internet Security concept with lock and cloud symbolGovernment organizations have become increasingly dependent on computerized information systems to carry out their operations. These systems process, store and share sensitive and confidential information, including personal and financial data, in order to deliver services to residents. Risks to a local government’s information technology (IT) environment go beyond the activities of hackers stealing credit card information or Social Security numbers, or installing malware to disrupt communications. Errors or misuse of the system by employees or contractors can also jeopardize the operation of any entity that relies on computers and networks.

Research by Verizon Wireless in their 2017 Data Breach Investigation Report shows that the public sector reported the most cyber security incidents, and the third most confirmed data breach incidents, of any industry in 2016. A 2017 study by the Ponemon Institute, a research center that focuses on privacy, data protection and information security policy, found that governments pay an average of $110 per record lost in a data breach. To help Washington’s local governments protect their Information Technology (IT) systems, we are offer them the opportunity to participate in a performance audit designed to assess whether there are opportunities to improve the security of their IT systems. Skagit County chose to participate in this audit; you can read their report on our website. You can also watch one of our talented IT auditors presenting Skagit County the results of their audit.

How to build a “resilient cybersecurity culture” for your government

ransomwareGovernments are vulnerable to cybersecurity breeches. In this way, they don’t vary much from private-sector businesses, whose sometimes spectacular cybersecurity failings grab headlines. So, as a government with limited resources, how do you prepare for the inevitability of some bad actor trying to access sensitive information?

An August 2018 report out from the (ISC)2, a non-profit focused on “inspiring a safe and secure cyber world” details several key ways in which governments and private businesses alike can begin to build an internal culture focused on cybersecurity awareness. The major take-aways? Management understands the need for the importance of strong cybersecurity–97% of the cybersecurity professionals (ISC)2 polled indicated their managers understood why it was important. And while management may understand why it is important to focus on cybersecurity, they were less clear in their job descriptions to hire dedicated talent. 52% of cybersecurity professionals asked said job descriptions didn’t demonstrate an understanding of security.

The disconnect between management’s understanding of the threat cybersecurity breeches pose and the general understanding of the security environment could create opportunity for disarray in addressing threats. However, the (ISC)2 report goes on to say that to build a culture that effectively addresses cybersecurity concerns really centers on hiring and retaining talent, ensuring management is aware of the importance of cybersecurity, and aligning policies and strategy. Management’s concern and interest in building an effective shield against attack is enough, given the cybersecurity team is adequately staffed and their expertise is taken seriously.

If you are a local government who is struggling to keep up with the demands of ever-evolving cybersecurity issues, the Office of the Washington State Auditor has resources to help. Visit our website for resources and checklists designed to help you.

The Complaint Resolution Unit within the Aging and Long-term Support Administration receives a State Auditor’s Office Stewardship Award

State Auditor Pat McCarthy attended a reception at the Department of Social and Health Services (DSHS) Aging and Long-term Support Administration’s (ALTSA) Complaint Resolution Unit (CRU) on Friday, July 6 to award them a State Auditor’s Office Stewardship award. Our Office is pleased to recognize the Department for its dedication to making government work better. The Department’s Complaint Resolution Unit (CRU) and field operations within the Aging and Long-Term Support Administration made significant improvements to resolve a long-standing audit finding and improve services to its clients. Continue reading

Whatcom Transportation Authority receives State Auditor’s Office Stewardship Award



In this photo: Board (left to right): • A.J. Walcott, President, Amalgamated Transit Union, Local 843 • Kelli Linville, Mayor of Bellingham • Eric Davidson, Blaine City Council Member • Jim Ackerman, Mayor of Nooksack • Cathy Watson, Board Chairperson and Ferndale City Council • Satpal Sidhu, Whatcom County Council Member • Michael Lilliquist, Board Vice-Chairperson and Bellingham City Council Member • Jack Louws, Whatcom County Executive Next row: WTA Finance Staff (left to right) • Laurie Pederson, Payroll Specialist • Tami Eastwood, Revenue Manager • Erin Knudson, Manager of Accounting • State Auditor Pat McCarthy • Shonda Shipman, Director of Finance • Lynda Fox, Accounting Technician II • Susan Dickinson, Accounting Technician I • Magan Waltari, Purchasing and Contracts Coordinator


The Office of the Washington State Auditor is pleased to recognize Whatcom Transportation Authority as an outstanding example of commitment to safeguarding public resources. Authority management has consistently demonstrated dedication to proactive risk evaluation and resolution, compliance with applicable requirements, transparency and an attitude that invites our Office’s guidance, especially during the audit process. Continue reading

Congratulations on your State Auditor’s Office Stewardship Award Bellingham School District No. 501

Bellingham School District SASA

Pictured here, left to right: School Board President Kelly Bashaw; Superintendent Dr. Greg Baker; State Auditor Pat McCarthy

State Auditor Pat McCarthy was pleased to recognize Bellingham School District on June 20, 2018 as an outstanding example of commitment to safeguarding public resources. District leadership has consistently demonstrated dedication to risk evaluation and resolution, compliance with applicable requirements and transparency, especially during the audit process. Continue reading

Keeping your private data safe: cybersecurity for government


Principal Performance Auditor Erin Laska was featured last week on TVW, highlighting the continued need for cyber security protection of the sensitive public data the state stewards. At the Office of the Washington State Auditor, we take safeguarding the public’s data from those who would seek to exploit it seriously. That’s why we regularly evaluate both state (see our most recent performance audit here) and local government cybersecurity controls for weakness, as well as make practical recommendations to help governments in Washington solve their cybersecurity challenges.


Local governments remain vulnerable to cyber attack: repost from the New York Times

cybersecurity_200880859.jpgAs local governments in Washington and across the United States deal with increasingly sophisticated attacks aimed at bringing down vital government services residents depend on, the need for careful controls and cyber security measures grows ever more crucial. At the Office of the Washington State Auditor, one of the resources we provide local governments with is helping them increase their cyber security in anticipation of just such events as outlined in the New York Times below. Are you interested in learning more about how we can help? Click here to read cyber security resources.

A Cyberattack Hobbles Atlanta, and Security Experts Shudder


MARCH 27, 2018

ATLANTA — The City of Atlanta’s 8,000 employees got the word on Tuesday that they had been waiting for: It was O.K. to turn their computers on.

But as the city government’s desktops, hard drives and printers flickered back to life for the first time in five days, residents still could not pay their traffic tickets or water bills online, or report potholes or graffiti on a city website. Travelers at the world’s busiest airport still could not use the free Wi-Fi.

Atlanta’s municipal government has been brought to its knees since Thursday morning by a ransomware attack — one of the most sustained and consequential cyberattacks ever mounted against a major American city.

The digital extortion aimed at Atlanta, which security experts have linked to a shadowy hacking crew known for its careful selection of targets, laid bare once again the vulnerabilities of governments as they rely on computer networks for day-to-day operations. In a ransomware attack, malicious software cripples a victim’s computer or network and blocks access to important data until a ransom is paid to unlock it.

“We are dealing with a hostage situation,” Mayor Keisha Lance Bottoms said this week.

Read more: