Auditors monitoring the KDHE/Department for Children and Families early-childhood data integration and system enhancement project told the Legislative Post Audit Committee they moved the project's schedule to an alert status after user-acceptance testing (UAT) uncovered hundreds of defects and because change orders and legislative-driven scope changes have pushed work behind schedule.

Katrin, the monitoring lead, summarized the program and its risks. She said KDHE signed a $4,300,000 contract in January 2024 and later received a $5,000,000 federal grant that expanded available funds, but the project's current estimate had grown to about $5,200,000 "which includes the initial $4,300,000 for the contract, plus the various change orders and the additional monitoring costs".

Auditors put cost in "caution" and schedule in "alert." Katarin told the committee that parties agreed on a new completion target of early June 2026 but the plan was "neither complete nor realistic" because the schedule did not include all remaining work and because UAT was already slipping. She said the UAT work exposed more than 600 defects in the first two weeks and that agency officials had limited visibility into remediation progress.

On security, auditors said contractual security assurances existed but that security has not been an explicit deliverable at the right stage. "Security should become a higher priority at this stage," the auditor said, because proactively addressing security reduces the risk of expensive rework.

KDHE officials responded in the same hearing. Derek Flork, bureau director for family health at KDHE, said KDHE has demanded a revised schedule by December 1 and has escalated vendor oversight to include executive-level check-ins. He described plans to sit down with the vendor and "categorize them and prioritize them" to triage the UAT defects.

Bob Doan, KDHE's CIO, told committee members the vendor has experience in licensing systems but that recent staff reassignments had caused gaps and the state has asked for dedicated staff from the vendor to be assigned to Kansas. Doan said the contract is fixed-price and that payments are tied to deliverables, but he confirmed there are no explicit liquidated-damage penalties for missed schedule milestones.

Auditors recommended clearer definition and enforcement of security deliverables, more realistic scheduling and categorization of defects to prioritize remediation work. Committee members pressed KDHE and the vendor on timelines, security responsibilities, and whether the vendor's staffing commitments would remain prioritized for Kansas.