The 2021 and 2022 incidents were reviewed in the county's annual accountability audit, which was already in the works when staff reported the losses to the state, said Carolyn Fundingsland, Cowlitz County auditor.
The county's separate annual financial audit, which reviewed 2021 spending of federal pandemic relief funding, included two "findings" for insufficiently monitoring organizations it contracted with to distribute the funds. Cowlitz was one of 21 counties in the state with similar relatively minor findings related to COVID-19 relief funding, Crosscut reported in March.
FRAUDULENT INVOICES
The first loss of funds occurred in spring 2021, when the county Health and Human Services Department paid two invoices totaling $21,000 to Lauri Rowland, doing business as Choices, that the county later determined as fraudulent because Rowland didn't perform services she was billing for, according to the February accountability audit report and court records.
Almost every year since 2010, the county contracted with Rowland, a substance use disorder professional, to assess and determine if jail inmates were qualified for Drug Court or inpatient treatment.
The department denied reimbursement of two additional fraudulent invoices Rowland submitted for May and June 2021 and notified law enforcement and the State Auditor's Office of the loss. In October 2022, Longview police arrested Rowland, who is charged with first-degree theft and attempted theft.
PHISHING SCAM
In August 2022, the county Public Works Department paid $184,235 to a fraudulent bank account after receiving a phishing email requesting the county update payment information for an existing vendor, Fundingsland said.
Staff realized the error after the contractor working on the Pacific Avenue North Half-Bridge contacted the county because it wasn't payed. While the county had a practice of confirming requested bank changes with vendors, staff did not complete this verification before sending payment, according to the audit report.
After working with the bank and Kelso police, the county recovered the money and isn't pursuing further action, Fundingsland said. Kelso Police Capt. Rich Fletcher said he was not aware of any ongoing case and there's not much the department can do because many phishing scams originate outside the country.
At the time, Cowlitz County didn't have a formal written policy for electronic fund transfers, including a requirement to verify that all bank change requests were made by the actual vendor, according to the audit report.
After realizing the scam, all county accounts payable clerks were notified, sent resources for detecting wire fraud scams and attended an in-person training on fraud awareness and verification, the report states.
Several county departments adopted formal written procedures and the county implemented new account validation service available through its bank, Fundingsland said.
On Dec. 13, the commissioners approved a countywide policy on cyber awareness. The new policy sets a "clear expectation" and gives Fundingsland's office leverage to require accounts payable clerks to attend training, she said.
Most every county department has an accounts payable clerk or someone who processes the bills and payroll, Fundingsland said.
Since 2016, state agencies and local governments have reported 111 cyber losses totaling more than $25 million, according to the State Auditor's Office 2022 Cybersecurity Report.
"The public should be aware these threats are evolving and escalating," Fundingsland said. "We do everything we can to stay ahead of them."
FEDERAL SPENDING AUDIT
The 2021 financial and federal audit didn't find fraud or a loss of funds, but that Cowlitz County didn't perform a formal risk assessment of the organizations it contracted with to run COVID-19 assistance programs.
Cowlitz County spent nearly $1.2 million in Coronavirus Relief Fund program money and $5.3 million in Emergency Rent Assistance in 2021, according to the report published in January.
During the audit period, the county lacked staff to manage the programs and was not aware of risk assessment requirements, the report states. The formal assessment is new, and county staff completed parts of the process.
County staff met with the organizations weekly to review any program changes, eligibility questions and documents to maintain consistent review and communication, the report states.
"Administering these funds was challenging, the funds came quickly with pressure from the federal and state level to get them out quickly," the county wrote in response. "There were also continual changes to the program guidelines, reporting requirements, etc. that were difficult to keep up with."
The county is developing a risk assessment tool to implement in the near future, the report states.
©2023 The Daily News, Distributed by Tribune Content Agency, LLC.