This audit reviewed a selection of county election offices' policies and practices to ensure the accuracy and security of voting machines, ballots, storage units, and tabulators.
State law gives county election officials discretion over how to run elections in their counties, so election processes vary across counties. We identified and reviewed election security best practices from the U.S. Election Assistance Commission, the federal election agency. They fall into 5 general security categories: overall process, election management computer, ballot, voting and tabulation, and transfer and movement security. Kansas only has a few high-level election security-related laws and regulations related to these 5 best practice categories.
We reviewed whether 13 counties had policies and practices that aligned with 55 best practices and state laws during the 2022 primary or general elections. These counties generally had adequate overall process and election management computer security practices. Ballot security practices were weaker overall, but county results varied. Most of the 13 counties we reviewed had inadequate voting and tabulation machine security practices except for physical security practices. And the 13 counties we reviewed had some adeqate transfer and movement security practices, but others that were generally inadequate. Overall, larger counties generally had stronger security practices than smaller counties because of their greater security needs and resources. But these results don't necessarily mean elections aren't secure.
Finally, none of the counties we reviewed had adequate written election security policies or guidance.
This audit reviewed a selection of county election offices' policies and practices to ensure the accuracy and security of voting machines, ballots, storage units, and tabulators.
State law gives county election officials discretion over how to run elections in their counties, so election processes vary across counties. We identified and reviewed election security best practices from the U.S. Election Assistance Commission, the federal election agency. They fall into 5 general security categories: overall process, election management computer, ballot, voting and tabulation, and transfer and movement security. Kansas only has a few high-level election security-related laws and regulations related to these 5 best practice categories.
We reviewed whether 13 counties had policies and practices that aligned with 55 best practices and state laws during the 2022 primary or general elections. These counties generally had adequate overall process and election management computer security practices. Ballot security practices were weaker overall, but county results varied. Most of the 13 counties we reviewed had inadequate voting and tabulation machine security practices except for physical security practices. And the 13 counties we reviewed had some adeqate transfer and movement security practices, but others that were generally inadequate. Overall, larger counties generally had stronger security practices than smaller counties because of their greater security needs and resources. But these results don't necessarily mean elections aren't secure.
Finally, none of the counties we reviewed had adequate written election security policies or guidance.
Welcome to the Rundown, your source for the latest news and updates from the Kansas Legislative Division of Post Audit featuring l P A staff, talking about recently released audit reports and discussing their main findings. Key takeaways in why it matters. I'm Brad Hoff . In July, 2023, L P a released part two of a performance audit examining Kansas' Election Security Procedures. I'm with Andy Brizo, principal auditor at Legislative Post Audit who supervised the audit. And also joining us are Morrie , Exline and Sam Dads senior auditors and team members, all of you. Welcome to the rundown.
Speaker 2:Thanks Brad. Thanks
Speaker 3:Brad. Thank you, Brad.
Speaker 1:Now, before we get into the audits findings, describe what you looked at for this audit and how it relates to part one, which L p a released back in February of 2023.
Speaker 2:Okay, so initially this was part of a five question proposal that was approved by the legislative post audit committee. We split it for reporting purposes into two different parts, as you mentioned. So part one dealt with the original questions three through five of the proposal. So that dealt with , um, training for county election officers and election workers cast vote records , um, ballot images and security , um, issues related to long-term care facilities. This report, part two, deals with questions one and two from that initial proposal, which actually for this we combined into a single question. So this will look at whether county election offices have adequate policies and practices to ensure the accuracy and security of specifically of voting machines, ballots, storage units and devices used to tabulate votes during elections. There's a lot of other areas that are important for election security that we didn't get into just because the scope didn't include them, the audit proposal didn't include them. Um, but this is part of a , a larger five question proposal that was approved.
Speaker 1:So to set the stage for the rest of our discussion , uh, talk a little bit about the different types of people and machines that are involved in county's elections.
Speaker 3:Okay. So in Kansas, elections are overseen by the county election officers and 101 of those counties that duty falls to the elected county clerk. But in Johnson County, Sedgwick, Shawnee and Wyandot County, the election commissioner oversees the elections and that election commissioner in those counties is appointed by the Secretary of State. The major difference between the county clerk and the election commissioner is the clerk is also responsible for all of their other duties , uh, tied to their position, such as tax assessments, while the election commissioner is only responsible for overseeing elections. So the election officers also rely on their staff and election workers to help run elections. Uh, there's also different types of machines that are used , uh, during the election process. Um, I believe the ones people are most concerned about are the ballot marking devices and the vote tabulation machines. So the ballot marking devices, or the voting machines are used by voters to , uh, cast and print their ballots. And the , uh, tabulation machines are optical scanners that are used to , uh, scan and record the votes on the paper ballots. These can be used at the polling places or they can be centrally located depending on the choice of the county. So the last type of machine that's used , uh, during the election process is the election management system. And this serves to aggregate all of the vote totals from across the county and finalize the election.
Speaker 1:Now, in reading the report, it looked like the team relied mostly , mostly on federal level best practices to evaluate counties policies and practices. What types of things do these practices cover and how do they compare to state law?
Speaker 4:Right. So we reviewed best practices from the US Election Assistance Commission, which is also known as the E A C . This is the federal agency that tests and certifies voting machines nationwide. Uh, so of these best practices, we selected 50 practices that we thought were likely to be , uh, important for most counties security. And so these practices fell into five main categories. You can see a full list of those best practices in appendix B. Um, and so we'll just go through each of those five categories really quick. So that first category is overall process security. So this refers to basic practices that just kind of set the stage for a secure election. So these are things like buying certified election equipment, maintaining an inventory of this equipment, and then also just tracking everything that happens with it. The second category is election management, computer security. So this refers to securing this actual computer so that it will accurately compile countywide results. So this category included things like limiting physical access to the computer and then also logging computer activity and then also keeping it disconnected from the internet. The third category is ballot security. So this refers to things that are done to track ballot activity , um, such as noting how many ballots are sent from the county election office to the polling places. Um, and then it also is, you know, comprehensively tracking how they're used and using controls to ensure that all of those legal ballots are tallied. The fourth category is voting and tabulation machine security. So this refers to securing these machines so that they'll actu accurately reflect voters choices on election day. So this includes things like testing them before elections and then also securing them during storage. The final category is transfer and movement security. This refers to securing election equipment as well as election results, media and ballots during transfer to and from the county office in the polling places. Um, and then also sealing equipment and election results during that transfer. So one of the first things that we did was we did also review state law and regulations, and then we found that state law and regulations were generally more general than the best practices. They fully reflected eight and partially reflected three of the 50 best practices that we focused on. So for example , uh, state law actually requires voting and tabulation machines to be e a C certified, but the best practices went a step further with that and they actually specified things like that. These machines , um, should have software that comes from a trusted source. State law did include five additional election security requirements that were not originally included in the best practices from the E A C . So these were things like post-election tests. Um, there were a few other things as well, and we went ahead and added those to our requirements into our best practices for a total of 55 best practices. The
Speaker 1:Team selected 15 counties for review, but ran into some issues with two of them. Talk about what specifically you looked at, why did you choose the , those counties and what kinds of problems did you encounter?
Speaker 2:So as you mentioned, two of them we had issues with, I'll get to those in a minute, but the 13 that we actually were able to fully review , um, are Chitwa Dickinson, Douglas, Harvey, Jackson Johnson, Lincoln, Miami, Riley, Russell , Sedgwick, Sheridan and Wyandot Counties. So we chose them because they varied in in areas like geographic locations. So we had, you know, counties that are from all over the state, the number of voters. So we had counties that had just, you know, a couple thousand voters all the way up to Johnson County, which has hundreds of thousands of voters. Um, and then the types of election or the types of voting machines they used . So we chose ones that used , uh, voting machines from different vendors. Uh, Sheridan's unique in that it doesn't use voting machines. They make them available to comply with federal law, but they aren't typically used in elections. So they , um, are kind of unique in that respect. They also hand count their ballots and don't use a tabulating machine or an election management computer system. So they're, they're quite unique and that's why we chose them. So the two others , uh, that we had issues with were Chase County and Ford County. So we could review their policies, but we couldn't verify their practices because they sealed most of their 2022 election documentation. So for each county, we intended to review their written security policies and then any available documentation that they had on hand to verify whether, you know, in 2022 during either the primary or general elections, they actually followed those security policies so we could verify what they were doing in practice. But Chase and Ford County, unlike the other 13 that we looked at, they sealed most of this documentation , um, and they put it into the containers that they put their ballots in. So this is legislative post audit has very wide ranging documentation access. Um, but the one, pretty much the one thing that we can't get into are ballot bags, sealed ballot bags. State law requires that sealed ballots remain sealed. And so since all of their documentation, or a lot of it was in these ballot bags, we simply couldn't review enough to get a , a thorough understanding of what their practices were in 2022 , um, and draw conclusions. The other thing I'll mention is that Ford County officials were the one county , um, of the 15 that didn't let us inspect their election management computer. So the other 14, including Chase County, when we were on site , when we visited all of these counties, we were able to inspect their computer, see if it was connected to the internet, see what kind of software was running on it, and Ford County was the one county that didn't let us do that.
Speaker 1:Now, before we get into the results of the audit, in your review, talk a little bit about the methodology the team used and any important caveats that the team outlined in the report that will help the reader better understand the work that the team , uh, completed during this audit.
Speaker 2:Okay. So the first thing we did really was talk extensively to county officials and spend time on site , actually at all 15 counties , uh, including Chase and Ford , inspecting their election offices, inspecting their storage facilities, walking through sort of the layouts and the particular , uh, controls that they had in place that we were able to observe. Uh, we also reviewed any written security policies that they had available. Uh, Sam's gonna talk a little bit later about the results of that particular , uh, review and as I said, any available documentation to verify what these counties did in practice in 2022. And as I said, chase and Ford , we had some limitations , uh, with both of those counties. Some of our conclusions are based on non-pro projectable samples of voting and tabulation machines or polling places cuz we just didn't have time or resources to review all the machines and all the polling places in all, all of these counties. Um, Johnson County, for instance, has 2000 machines and 150 polling places. And so that, that county alone has way too much for us to review given our resources. Uh, we think the samples are sufficient to reveal problems with the design or execution of their security controls, but because we didn't review all the machines or the polling places, there could be some additional control control weaknesses that could potentially exist that we just weren't able to see in our samples. And our conclusions are based on either the documents counties provided or our own observations that we made during those site visits. So there were cases where county election officials told us they had controls in place during the 2022 elections that would've aligned with our best practices, but they couldn't provide documents or show us , um, something that we could observe during our visit. Um, so it's possible that there are cases where these counties did indeed follow best practices in 2022, but weren't counted as having done so cuz we couldn't, we just couldn't verify it. We don't know how common that might have been. Um, we also didn't evaluate whether the county's controls actually worked as intended. So an example of this would be we reviewed whether counties kept lists of the people who were given keys to secure storage facilities where things like voting machines, tabulation machines are being stored. But we didn't determine whether the lists were limited to only the appropriate staff. So we can conclude on whether the counties have the control in place. So the control is intended to track who has access to the machines, but we didn't evaluate whether they've appropriately limited that access , um, as part of our work. The other thing that I wanna point out I think is really important is that we didn't evaluate whether the 2022 elections in these 15 counties were correctly tabulated or, or whether they accurately reflected the will of the voters cuz that stuff was outside of the scope. I also wanna make clear that we focused on the 2022 elections. We did not focus on 2020. We talked to county officials about what types of documentation might be available, but by the time we started, the 2020 documentation was, was either sealed or destroyed , um, in alignment with state and federal law. And the , the approved audit scope did not include a lot of other stuff that, that helps ensure that elections are secure. So this is stuff like voter registration, mail-in voting ballot, drop boxes, the post-election auditing process. These are all elements of election security that simply fell outside the audit scope. And in any cases where that stuff is in place, you know, robust security practices are in place in those areas that would simply compliment and back up the things that we are discussing in this report.
Speaker 1:The report notes that counties generally had adequate practices in the first two areas you reviewed , uh, those were the, their overall process and election management computer security. Tell me more about these areas.
Speaker 3:So the first , uh, the first two areas of five , uh, if you're reading the report, we have a figure for each one of the five areas , uh, scattered throughout the report. Within each relevant section that breaks down results for each county , uh, if you're following along , uh, for overall process and election management security, these areas include basic practices that set counties up for a secure election. So the counties we reviewed generally had strong practices for ensuring only trusted software was installed on the machines and that paper ballots were available to confirm election results. However, counties inventorying practices weren't as strong as a whole, but they were generally adequate. Um, to give you an example of a strong inventory system, Douglas County uses a scanning system to automatically log each time , um, a piece of voting equipment leaves or returns to their warehouse. Uh, conversely, Russell County doesn't log when their equipment leaves or returns to their warehouse. And for election management computer security practices , uh, of the 13 counties , uh, we reviewed, they also generally had adequate , uh, security practices with only a few exceptions. So , uh, the best practices in this category help ensure that the election management computer is secured and will accurately aggregate the countywide results. So all counties demonstrated strong practices for ensuring that their election management computers can't be used for other purposes. And most of them also had strong practices for ensuring activity on those computers as monitored , uh, and that they're secured from unauthorized access. So to give you an example of counties that were doing well , uh, Douglas Johnson and Wand Dot , they had , uh, advanced election management computer security. Uh, their computers were locked in , video monitored rooms requiring key codes or badge access to get in the computers also required complex passwords and logged all system activity. Um, some common control weaknesses in the area related to counties practices for physically securing their computers. Uh, this typically was due to the size of the counties. They had limited space and limited resources. Many smaller and medium-sized counties had to make do with existing space in their county courthouses instead of being able to have , uh, secured rooms devoted to their election management system. So to give an example, counties like Chautauqua and Lincoln , uh, are relatively small counties and they use laptop systems rather than , uh, the permanent desktop systems we saw in places like Douglas Johnson and Wand Dot . Um, so while we were there on site , we were able to view and observe that the laptops were kept locked up. Uh, but what we couldn't do is review their processes of how they keep those machines secured on election night because we weren't there. However, these smaller counties did well on things like monitoring their computer access, logging the activity, and uh, requiring complex passwords in order to log on. So, and of the systems , uh, we were able to review, we were able to see that none were connected to the internet. Uh, and nor did they have any non-election related software installed on them.
Speaker 1:Now, the other three areas that you looked at weren't as strong as the first two that, that Sam had had just talked about. The team found counties had weaker ballot security practices, generally inadequate voting and tabulation machines, security practices and inconsistent transfer and movement security practices. Talk , uh, a little bit more about what you found in the , in these three areas.
Speaker 4:So the best practices in the ballot security category, track ballot activity and help ensure that invalid ballots aren't counted. So as figure four shows in the report, many counties had most of the ballot security practices that we reviewed, however, they were generally weaker than the first two areas that Sam addressed. For instance, about half of those counties we reviewed had weak ballot accounting practices. So these varied from county to county. One example of good processes was in Dickinson County where they documented how many ballots were sent to each polling place and included tracking voted provisional, spoiled and unused ballots. They also documented how many voters used voting machines. Many counties missed this latter step, which is important because it shows how many paper ballots should have been used. Counties did sometimes create standardized forms that could be effective as ballot security controls, how in many cases, forms weren't filled out completely or correctly. So for example, in Sedgwick County, they created a form that required polling places to balance the numbers of checked-in voters to the number of used ballots each hour. But many polling places were missing all or pieces of this documentation. So in terms of voting and tabulation machine security, most of the 13 counties that we reviewed had inadequate security practices except for physical security practices. So the best practices in this category help ensure that voting and tabulation machines are secure and that they accurately reflect voters choices on election day. So looking at figure five in the report, you can see that most counties had adequate practices for physically securing their election equipment while in storage. However, counties had weak practices for testing this equipment at the time of purchase or before or after elections. So some examples of this , um, counties like Douglas, Harvey Johnson, Riley Sedgwick, all stored their voting and tabulation machines in locked video monitored rooms. Uh, these counties also required that staff scan their badges to enter, or in the case of Harvey County, there was a fingerprint scanner used instead. However, in terms of testing, many counties didn't provide documentation showing that all of their electronic equipment had undergone acceptance testing when it was purchased. These tests ensure that they are receiving equipment that is intact and correctly functioning when they first buy them . We also found problems with most counties logic and accuracy testing. This logic and accuracy testing happens prior to elections to ensure that electronic machines are working prior to those elections. So for example, Chitwa Dickinson, Jackson, Lincoln, Riley and Sheridan Counties didn't provide documentation showing that they conducted logic and accuracy testing on all of the machines that we sampled. So finally, in terms of our last category of transfer and movement security, we found that counties were lacking in controls in terms of security practices that would help ensure that electronic equipment, election results, media and ballots are secure when transferred to and from the county election office and polling places. So looking at figure six in the report , we can see that most counties had stronger practices for monitoring equipment deployment to polling places and ensuring that election results were secured during transfer back to the election office. However, they had inadequate policies for monitoring that equipment was secure at the polling places and safely returned after the election. So one example of this, Johnson County tracked when and by whom all election equipment, paper, ballots, election results, media and other supplies were transferred to and from the polling places. So some counties created standardized forms that they said recorded transfer of materials and machines, but it wasn't always clear what the forms were meant to document. So , uh, for instance, Jackson, Lincoln, Miami and Russell Counties provided chain of custody documents that had signatures, but it wasn't evident what signatures were attesting to.
Speaker 1:What do you think explained the differences you saw across the counties you reviewed?
Speaker 4:So there are a few things that we saw that , um, could explain some of those differences. Um, one of the biggest ones was county size and resources. Uh, this played a large role in these differences. Uh , we could see that larger counties generally followed more of the best practices that we reviewed than smaller counties did. Um, so looking back over those results, we see that all seven of the large counties we reviewed had adequate security practices in 10 or more of the areas that we reviewed. On the other hand, only three of the small counties that we reviewed had adequate security practices in Tanner , more of the areas that we reviewed. So larger counties generally have stronger security practices than smaller counties because the sheer volume and complexity requires larger counties to have more controls and better documentation to ensure that things aren't missed. Larger counties also have more financial and staff resources to dedicate to elections. So beyond size, insufficient guidance and oversight at both the state and county levels likely contributes to a lack of controls. So the state doesn't appropriate funding to help counties pay for election security. Further, the Secretary of State doesn't proactively provide state level guidance or make recommendations about minimum security expectations. The annual training that the secretary of state's office provides, a county election officers is high level and doesn't get into topics of like the importance of security controls or how to adequately design and practice them . So finally, county election officers may not be adequately training county election workers or holding them accountable for following established practices. So that being said, election workers may not understand security control's importance or how to correctly carry them out. Um, so standardized forms across counties of all sizes that were filled out incorrectly or not at all are examples of this happening.
Speaker 1:The team also looked at county's election security policies. What did you find in this area?
Speaker 3:Well, in short, we found that none of the 15 counties we reviewed had comprehensive written election security policies or guidelines. Uh, the county officials told us that they rely on state law and the election standards handbook provided by the Secretary of State's office. Uh, many counties did have a few standardized forms and checklists that they used to help guide certain processes, but the quality and completeness varied across counties. Um , and because elections are a complicated process , uh, we expected to see each county have a regularly updated policy manual outlining the county election officer's to help with election worker training and , uh, election officers succession.
Speaker 1:And finally, what's the main takeaway of this audit report?
Speaker 2:So the E a C lays out what is really an ideal system of security practices. Many complement one another, provide redundancy for one another. So if one practice is missing, others may be in place that will help secure the same area. Kansas' decentralized election structure across 105 counties also helps inherently to , uh, provide some security. So each county has different processes, controls, they use different vendors, things like that. So impacting a statewide election would require defeating controls in multiple counties, each of which operates differently. So the EAC provides good practices that are a good goal to strive for. Having them all in place would be great. It would bolster counties election security, but it's not realistic to think that every county would have all of them in place. And like I said, there are other things that are mitigating any weaknesses that we found. I think the overall takeaway from this audit is that there are opportunities for counties and especially the Secretary of State's office and the legislature to, to help counties bolster their processes. So these are complicated, complicated processes. They're expensive, they happen infrequently. A one size fits all approach doesn't make sense, but greater state level support and financial resources, templates, things like that would, would help counties maximize the security of their elections.
Speaker 1:Andy Brizo is a principal auditor and Maury Exline and Sam Dads are senior auditors at legislative post audit . They completed an audit examining Kansas' election security procedures. Andy, Maury and Sam, thanks for joining me.
Speaker 5:Thank you, Brad.
Speaker 3:Thanks Brad.
Speaker 2:Thank you.
Speaker 1:Thank you for listening to the Rundown. To receive newly released podcasts, subscribe to us on Spotify or Apple Podcast. For more information about legislative post audit and to read our audit reports, visit ks lpa.org. Follow us on Twitter at ks audit or visit our Facebook page.