Members of the state’s Legislative Audit Committee were transparent on Monday about their displeasure with executive agencies dragging their feet on implementing audit recommendations.
“Some of these departments, it looks like what they're saying is, ‘Teah, yeah, we’ll get right on it.’ And when they’re off the hot seat, they ignore it,” said Rep. Lori Saine, R-Dacono. “That’s not right.”
Legislators reviewed a report of all audit recommendations over the past five years, 99% of which the state’s agencies agreed to implement and 93% they have actually implemented.
However, State Auditor Dianne E. Ray noted that there were “repeat offenders” whose recommendations lingered. The report pointed to the governor’s Office of Information Technology as an entity that maintains a high number of uncompleted recommendations.
“There are recommendations that continue to be outstanding year after year after year within OIT,” said audit manager Jenny Page. “Many of them involve within IT systems that can take a long time to implement, but there are also material weaknesses in controls within those IT systems.”
Sen. Jim Smallwood, R-Parker, said that the audits he has seen all have time built in to make the necessary changes.
“These are still significantly tardier than what we expect given all of those factors.”
Page replied that agencies tend to push completion dates further into the future for old recommendations with each new report that comes out. Ray added that the auditor’s office abides by the agencies’ estimates of their deadlines.
Her comments prompted Rep. Tracy Kraft-Tharp, D-Arvada, to ask if legislators could tell agencies that their implementation deadlines were unacceptable.
They can, Ray responded.
Of the 20 recommendations that the report considered “high priority due to the seriousness of the problems identified and/or the length of time that they have not been fully implemented,” the information technology office had seven of those.
“Are we just putting the welcome mat out for hackers for some of these systems?” Saine asked the auditors.
Deputy State Auditor Matt Devlin cautioned that the whole answer would be appropriate for an executive session.
“From 2013-2018, 240 audit recommendations have been received by the Office of Information Technology. As of today, 35 items remain,” said OIT’s chief communications officer, Brandi Wildfang Simmons, in a statement. “OIT has implemented all security controls possible to partially mitigate these recommendations and secure the state's IT infrastructure. Work is underway for the remaining recommendations, which are tied to major system replacements or implementations.”
In response to a question from Sen. Nancy Todd, D-Aurora, about whether the new gubernatorial administration this year factored in to the slow implementation time, Page answered that the most recent recommendations covered in the report were made public in 2018 before the election.
“I don’t buy into the sense of ‘we’re in transition.’ No matter who’s in charge, there needs to be a high sense of urgency,” said Sen. Rhonda Fields, D-Aurora. “I call them excuses, and I am kind of fed up with it.”
Fields asked whether any of the lingering recommendations, such as those related to public health agencies, caused a risk to any communities.
“By their nature, if they make their way into an audit report, they’re significant enough,” Devlin said. He added that the auditor’s office does not have the authority to enforce recommendations.
Page noted that between 90 and 100 outstanding recommendations have been typical each year since 2014, when legislative hearings began pursuant to the State Measurement for Accountable, Responsive and Transparent Government (SMART) Act. Departments present their performance plans, budget requests, and agendas to lawmakers at the hearings.
The report suggested that legislators ask department heads the reasons for delayed implementation of recommendations during the SMART Act hearings.
Rep. Rod Bockenfeld, R-Watkins, suggested a more extreme method of holding executive leaders accountable for financial material weaknesses.
“I’m wondering if there’s some things we can do with a bill this year that’s going to create some incentive for these material weaknesses to be addressed,” he said. “I don’t know if that’s when you give an average salary increase in a division, that they should be reduced a quarter of a point if they had material weaknesses that are hurting the finances of this state because they haven’t been addressed.”
Bockenfeld added that “maybe that’s not the right penalty,” but he was not in favor of “just pleading with these folks to deal with these material weaknesses.”