DeKalb County

DeKalb County’s internal auditors refusing to release critical report

DEKALB COUNTY, Ga — DeKalb County’s internal auditors are refusing to release an obviously critical report of the county’s Oracle software system, which is used to manage everything from human resources to purchasing to payroll for a government that spends about $1.2 billion a year.

It’s clear from reading the public portions of the September 2022 report that the system is deeply flawed, but the auditors refuse to release details because they contend that might leave the already badly managed system open to sabotage or terrorism. Taxpayers are in the dark.

[DOWNLOAD: Free WSB-TV News app for alerts as news breaks]

“This is shameful as far as I’m concerned,” said Dr. Andy Green in an interview with Channel 2 investigative reporter Richard Belcher. Green teaches IT security at Kennesaw State University and has consulted with the channel on IT security issues for the better part of a decade.  He says “the real story” is “the fact that the county is using state law to be less than transparent with their citizens and not allow their citizens to engage in true oversight.”

Auditors look for flaws, document them and recommend changes to encourage improvements in government services or operations. They documented so-called “findings” in 10 separate areas of DeKalb’s Oracle system. One page that is not blacked out shows that six are coded red -— meaning more serious — and four are coded yellow. Those are also problems but not as serious as the ones coded red, but if you go looking for details, you’ll find page after page is blacked out or redacted.


Green says the problems might be less serious than taxpayers worry, or, he says, “It could be that these things are actually much worse. The problem is we’re in the dark. The public is in the dark here.”

We emailed the spokesperson for DeKalb County, Michael Thurmond, and heard back from the county attorney’s office, which told us the redactions were the responsibility of the county’s internal auditors who are, by law, independent of the CEO and Board of Commissioners.

Lavois Campbell, the interim chief audit executive, emailed after our inquiry: “We have reviewed those determinations and judgments with legal counsel and our chairperson. The redacted sections relate to specific vulnerabilities in the Oracle application ‘which if made public could compromise security against sabotage, criminal or terroristic acts.’ O.C.G.A. § 50-18-72 (a)(25)(A). Those areas of vulnerability, if identified, would compromise the security of specific operations. We are constrained to do whatever is required to protect those operations from sabotage.”

Green mocked the county’s claim. “The idea that threat actors go around and collect these vulnerability assessment reports from these governmental entities to look for a way into the system is laughable on its face,” he told Channel 2.

He contends auditors could have found a way to release at least some of their findings. “They are not prohibited from releasing this. They are simply given an exception that says, ‘You don’t have to.’ The state law doesn’t say you are prohibited from (releasing the information), and to me, that’s a big difference,” he said.

A year ago, DeKalb’s independent auditors blacked out virtually everything in a report about the security of the private information of county employees and county vendors. We were stumped until Atlanta Journal Constitution report Tyler Estep obtained a copy of the full audit and shared it with us. The documented problems were serious and potentially embarrassing.

[SIGN UP: WSB-TV Daily Headlines Newsletter]