By Sam Smith
Tired of auditors finding the same problems in state agencies over and over again, legislators on the Joint Audit Committee on Tuesday kicked around proposals that would put some teeth in the law and force agencies fix the problems auditors found.
“I have been on this committee for a long time,” said Sen. John Astle, D-Anne Arundel. “I have seen a number of these repeat violations come back and the auditors come back. The agencies haven’t dealt with them and then we come back another year and they still haven’t dealt with them.”
Tackling this issue is not new to the committee. Four bills were introduced last year that dealt with the issue, but none of them got out of committee.
Corrective legislation has been proposed but not passed
House Bill 843 would have required a 5% cut to an agency’s budget when there are three or more repeat findings. House Bill 1473 stated that agencies with two or more repeat findings must report to the Office of Legislative Audits nine months after the audit report was released and on a quarterly basis thereafter until findings have been rectified.
Senate Bill 617 would have required that audits and reports done by the OLA be accessible on the website of state government agencies within 30 days of the reports. It also required that agencies with five or more repeat audit findings make available their reports on actions taken to address audit findings.
House Chair Guy Guzzone, D-Howard, proposed that “automatic language” be established for the Department of Legislative Services to include agencies’ repeat audit findings in its recommendations to House and Senate budget committees. This would allow the committees and subcommittees to take into account repeat findings when reviewing agency budgets.
“If in those times where there are repeat findings, [there’s] the chance for subcommittees and full committees to look at that kind of language and send messages where they feel appropriate,” Guzzone said.
Legislative analysts currently determine the severity of repeat findings and sometimes include them in their budget recommendations. Guzzone’s idea would standardize the practice so that repeat audit findings can be addressed every time.
Punishing agency administrators
Del. Galen Clagett, D-Frederick, suggested that the administrators and leadership of the agencies be held more accountable.
“If they are not corrected, the people who run the agencies should pay the penalty, not the people served by the agencies because we cut their budget.” Clagett said.
Clagett suggested that salary deductions and loss of tenure should be on the line for agency leaders when they repeatedly fail to correct problems.
Astle and Guzzone agreed with Clagett.
“The executive branch appoints them to do this job and if they are not doing the job then there ought be someway that we can take action,” Astle said.
Concern about punishing administrators
Sen. Richard Madaleno Jr., D-Montgomery, said that threatening the administrators might not be fair considering there could be mitigating circumstances preventing agencies from rectifying audit findings. He added that an administrator could be punished for audits that happened before he or she was on the job.
“I am always fearful when you put it into law, discretion goes away because you are trying to follow it,” Madaleno said. “We need to use our judgements and let our staff use their judgement as well”.
However, Astle said that if there is a circumstance that is hampering the agency’s compliance, the agency head should be transparent about it.
“The agency heads understand what these problems are and they should come out on the front side and say that ‘we have a problem here, and I want you to know that we got a problem, and I am going to need your help to address it,’” Astle said.
IT secretary defends agency on audit findings
As another part of its hearing Tuesday, the committee questioned the Department of Information Technology about its role in overseeing state agencies that host Personal Identifiable Information on agency-run IT systems. Maryland Reporter wrote about an audit released Oct. 9 that found DoIT had delegated its responsibility for enforcing compliance with the state’s information security policy to each individual state agency.
IT secretary Elliot Schlanger said that for one department to manage the computer security of all the state agencies was beyond the current capacity of his department..
Although Schlanger said his department was correcting four of the major findings in the report, it cannot change the delegation of IT security enforcement at this time.
“We have done a pretty good job so far,” Schlanger said. “We can not let our foot up off the pedal. We need to audit ourselves continuously. In the end, there is no system that can claim that we are free from potential cyber attack or breach.”
Bill 843 was introduced by our own Delegate, Gail Bates, during the last session, and Senator Pipkin filed the same bill in the Senate. The recommendation for a 5% “cut” in an agency’s budget was not permanent. The funds were to be ‘held back’ until the agency was able to remedy the repeated audit findings. This is an incentive that is likely to work very well, since agencies/departments are very involved in the budget process and concerned about getting every dollar they can. Indeed, with the threat of a “hold-back”, the actual implementation of such a hold-back would probably never happen. The agencies/departments would be incentivized to make every effort to remedying any repeat findings in the second year so that they would not face the possibility of a third year repeat finding leading to a 5% holdback of funds. This is such an important issue that I’m glad to see the legislature paying attention. And congratulations to Gail Bates for starting the conversation!
The Joint Audit Committee is responsible for reviewing “audit processes and procedures” and recommending changes to the legislative auditor’s office. As such, the committee must actively evaluate the quality of the auditor’s work and integrity of its reports. The fact that audit findings don’t get resolved is partly due to auditor weakness in designing audit workplans, developing findings, and too much detachment from management when writing reports.
The first change the committee needs to make involves the audit peer-review process. Outside peer reviews need to be done annually. The committee, NOT THE AUDITOR, needs to select and remunerate the peer reviewer. And the peer reviewer must report during his review jointly to the committee (via a subcommittee established for this purpose) and the audit office liaison.
The several recent audit reports I’ve studied show a pattern of barely meeting audit standards, and indicate technical and cultural shortcomings within the auditor ranks that require immediate attention.
As far as the proposed legislation, HR 617 and 1473 are reasonable. HB 843 is not only irresponsible, but it also would have adverse unintended consequences.
It appears you don’t have a true understanding of the Joint Audit Committee and Office of Legislative Audits. The Joint Audit Committee asks the OLA to perform special audits, in addition to the regular audits required by law. The Committee then receives the audit reports and agency responses for review. How could findings that are not properly developed result in repeat findings? It’s the agencies lack of effort and responsibility that causes the repeat findings. The agencies are not held accountable for the findings; therefore, they don’t care.
The OLA receives a peer review once every three years by state auditors from other states. The reviewers are not paid and are not selected by the OLA. After completion, the peer review reports are posted on the OLA’s website. The most recent report states that the OLA has conformed with the government auditing standards and had no findings of non-compliance.
I’d like to know what recent audit reports you have reviewed and what technical and cultural shortcomings you have identified.
(1) Disagree with your first sentence because my understanding has always been consistent with your next two.
(2) Peer reviews: Please see the eligibility requirements for the AICPA’s Governmental Audit Quality Center. The OLA should become qualified.
(3) As far as problems with OLA audits, search “audit” and see my specific comments to prior OLA reports.
(4) I don’t think it’s prudent to believe repeat audit findings are due exclusively to agency inaction.
(1) Maybe I am not interpreting your first sentence correctly “The Joint Audit Committee is responsible for reviewing “audit processes
and procedures” and recommending changes to the legislative auditor’s
office.” because the JAC is not responsible for reviewing audit processes and procedures or recommending changes to the auditors.
(2) The OLA meets the eligibility requirements of the GAQC, which includes making public the most recent NSAA Peer Review.
(3) I’ve read your comments to the audit reports. The reports issued are not going to specifically state the detailed scope of the audit and procedures taken to address fraud risks. The findings disclosed in the report are only surface level data to convey the overall problems to the public. I understand you may have questions regarding the work performed based on the lack of specific detail in the report, but you cannot say that the auditors did not perform the work. We don’t have access to the work papers to see how risks were addressed and how the findings were developed. Only the auditors, agencies, and peer reviewers see the detailed audit work.
(4) You are correct, repeat audit findings are not due exclusively to agency inaction. Repeat audit findings are also due to inadequate and incorrect action by agencies.
Across the board cuts to agency budgets is a meat cleaver, not a scalpal. It would unfairly hurt the public that these agencies serve, not their leaders. Holding the administrators and leadership accountable has merit. There should be a broad range of disciplinary remedies available, from letters of reprimand , fines, loss of pay, suspension, and ultimately removal from office. If the problems continue to be systemic, there should be sanctions against the Governor as well. While my proposal may appear harsh, the lack of accountability in Maryland’s Executive Branch is truly remarkable. It might be a good idea to empower the Comptroller to investigate the progress of financial audit remediation, and provide input to the legilature’s deliberations.