NLPES Question of the Month

Feb./March 2004: 

Do you have tips for reviewing auditees’ e-mails or computer hard drives, in cases where this is necessary?

Gerald Schwandt, Michigan

The Michigan Office of the Auditor General does not have a practice of requesting access to emails or computer hard drives as a normal part of our audits.  However, the Office has had two unique situations in which the need arose to obtain access to computer hard drives and emails of an audited agency.

In the case of accessing hard drives, the issuance of a court order was extremely effective in providing access and in eliminating all objections to that access.  However, the court order was issued pursuant to a related investigation by the State Police and the FBI rather than the audit, so we did not face any difficulties with access.  Our Office of Information Technology staff had the necessary expertise to perform the review of the hard drives, which resulted in obtaining relevant audit evidence.

In the other case, we requested access to an employee's emails after an issue was disclosed during the audit procedures for one of the audit objectives.  We placed the request with the Director of the audited bureau, who referred it to the Department Chief Information Officer, who then referred it to the Department Deputy Director, who objected to the access.  Access was eventually granted after a 3-week delay, but assurance that the emails had not been tampered with was compromised.  In future requests to access emails, we would request that our State Department of Information Technology (in control of the state’s email server) immediately capture all relevant emails, then deal with the issues surrounding access.

Michigan's statewide policy states that emails and computer files are state documents subject to Freedom of Information Act requests.  However, state departments differ on their retention periods for emails, making it necessary to act quickly to preserve evidence.  

Jim Pellegrini, Montana

How often does our office review agency e-mails or computer hard drives during the course of program evaluation work?  Not very often.  In fact, we have done it two times.  It both instances, it involved the use of government resources for personal use.

How do we go about obtaining this information?  In both cases, we were sensitive to the fact that there is some presumption of personal privacy, yet the resources are public property.  We went through the person's supervisor and requested that they review the e-mail and hard drive with us. (As supervisors they have access to the working area and any of the individual's resources.  The employee does not have the same degree of presumption of personal privacy from his/her supervisor.)  Even though we do have access to the information, this approach maintains a level of credibility with the effected agency or program.  We are not Big Brother.

How have we ensured that the information was not been tampered with in any way?  Both situations occurred as surprise visits.  The individual was not there at the time.  In one of the cases, we used software to look for deleted files.  Our state policy has all e-mail automatically destroyed after 30 days.  So, we need to be timely.

Do we have any “lessons learned” to pass on about accessing this information?  Get supervisory personnel involved.  Be timely.  Hope you don't have to do it too often.  

Perry Simpson, South Carolina

In our current audit of our Department of Natural Resources, we asked the agency to provide us with e-mails and copies of hard drives for selected employees.  One good thing was that it was relatively easy for the agency’s IT staff to set up a computer through which we could gain access to this data.

One thing to consider when reviewing electronic data such as hard drives and e-mails is to try and keep it to a manageable level.  Trying to review the e-mails or hard drives of all employees would be too time-consuming.  One thing we found with the e-mails is that they really are only good if you are looking for something recent.  In a number of cases, the e-mails only went back a few months at best.  In other cases, people apparently cleared out their e-mails regularly and there were less than a handful on the computer.  That said, several e-mails proved useful in documenting agency policy and in explaining how the agency was responding to certain situations.  They also helped to identify potential audit areas.  The hard drives also proved useful in documenting communication between staff that we otherwise might not have been able to find.

E-mails are fast becoming the communication method of choice.  I think that auditors need to try and be aware of this and include e-mails in their review of agency records where appropriate.  They can be a great source of leads for audit findings and can help document agency policy.  

Marla Conroy, Minnesota

We have not seized hard drives during our investigations.  In one case, we tried to obtain access to a state contract vendor’s hard drive, however there were issues involving data privacy.  The computer held information on state contract activity as well as other business activity.  I am aware of certain internal audit shops, specifically the Minnesota Department of Human Services’ internal auditor, that have obtained hard drives when addressing employee misconduct allegations (questionable use of state resources, such as inappropriate internet usage, running a private business using state resources).

(Note:  Chris Buse from the Minnesota Office of the Legislative Auditor’s Financial Audit Division also offered some comments on this topic.  He said that there is a field of “computer forensics” that is highly technical—beyond the expertise that IT auditors typically have.  This can involve handling computer information in a way that would allow it to be admissible in court as evidence, if necessary.  Some large executive branch agencies in Minnesota have contracted with a private individual to do this type of work, but the Legislative Auditor’s Office has not done it and does not have staff qualified to do it.)  

Rick Riggs, Kansas

This issue hasn’t come up in our office.  

Ken Levine, Texas Sunset Commission

We do not review agencies emails or computer hard drives.  That seems to be something that may be more necessary in auditing then in program evaluations or in our policy evaluation work.