The Colorado State Auditor’s annual report on whether state agencies are tuning up their financial controls found nearly four dozen serious recommendations still haven’t been implemented, some going back more than five years.

The state auditors conduct dozens of audits every year. They generally fall into three categories: financial audits, performance audits and information technology audits.

From July 2016 to June 2021, state auditors made a total of 1,523 recommendations to auditees in those three categories.

Through June 30, 2022, auditees had implemented 93 percent of the audit recommendations that they agreed to implement.

However, of the 102 audit recommendations not yet implemented, 46 were classified as high priority due to the seriousness of the problems identified, and/or because they have been unimplemented for three years or more.

The agency with the largest number of those serious unimplemented recommendations – 17 in all – were in the governor’s office, with two dating back a decade and a third that was first reported in 2014. Six of the most serious were designated as “material weakness,” the most serious level of internal control weakness. A material weakness leads to concerns by the auditor that there is a “reasonable possibility of a material misstatement to the entity’s financial statements or of material noncompliance with a federal program requirement that will not be prevented, or detected and corrected, in a timely manner,” according to the audit report.

Two of the oldest recommendations from 2012 were reported as material weakness deficiencies. Both were tied to information technology controls within the Colorado Unemployment Benefits System (CUBS), the Colorado Automated Tax System (CATS), and the Colorado Labor and Employment Applicant Resource system. While all are part of the Department of Labor and Employment, recommendations were listed under the governor’s office because information technology is managed out of that department.

The two 2012 recommendations actually date back to 2009, and the administration of then-Gov. Bill Ritter. The recommendations were tied to specific problems with access management and software configuration management for both CUBS and CATS.

The 2012 audit noted both the Department and the Office of Information Technology failed to design and implement IT control activities required by Colorado Cyber Security Policies. Due to “lack of ownership and and clear delineation of roles and responsibilities between the Department and OIT, it was unable to implement the outstanding Fiscal Year 2009 recommendation subparts,” the audit reported.

The two unimplemented recommendations “increase the risk of a system compromise and threaten the confidentiality, integrity, and availability of the data CUBS and CATS contain and process.”

State auditor Kerri Hunter told Colorado Politics that if issues continue to persist with recommendations that have not been implemented, “we have a responsibility to continue to report it and be transparent about what we’re finding.” Auditors aren’t the enforcement mechanism but standards, including federal standards, require the auditors to keep those issues out front until they are resolved.

As to the some of the IT recommendations that have lasted for years, Hunter said they tend to last longer because there are more components to resolve.

But there are risks to the state with failure to implement recommendations made by the state auditors, Hunter explained. 

For example, in recommendations on financial audits that carry the most serious level of recommendation – a material weakness – that can result in a material misstatement to the state’s financial statements overall. Hunter said. That in turn can cause the auditor to modify their opinion on the state’s financial information. The bottom line is that those misstatements could carry ramifications to the state such as risks from rating agencies.

Failure to implement recommendations also carry risks that come from the federal government, Hunter said. The federal government has its own compliance requirements under what’s known as the single audit act. A material weakness, for example, in a federally-funded state program can result in sanctions from the federal government and a potential loss of federal funds. That affects both how the federal government looks at noncompliance and additional risk tied to programs that require general fund matches from the state, she added.

Recommendations that last for years carry other potential problems, explained Greg Fugate, the director of communications and quality assurance. “The big picture” is that without the fixes recommended by the state auditor, programs can continue to have gaps in service delivery, efficiency or prioritization of resources. “We try to have the recommendations focused on how the state close the gaps.” When those recommendations don’t get implemented, auditors look at whether there are still inefficiencies and ineffectiveness in those programs. 

The role of the auditor is to keep bringing this to people’s attention, Hunter added.