By Sam Smith
Tired of auditors finding the same problems in state agencies over and over again, legislators on the Joint Audit Committee on Tuesday kicked around proposals that would put some teeth in the law and force agencies fix the problems auditors found.
“I have been on this committee for a long time,” said Sen. John Astle, D-Anne Arundel. “I have seen a number of these repeat violations come back and the auditors come back. The agencies haven’t dealt with them and then we come back another year and they still haven’t dealt with them.”
Tackling this issue is not new to the committee. Four bills were introduced last year that dealt with the issue, but none of them got out of committee.
Corrective legislation has been proposed but not passed
House Bill 843 would have required a 5% cut to an agency’s budget when there are three or more repeat findings. House Bill 1473 stated that agencies with two or more repeat findings must report to the Office of Legislative Audits nine months after the audit report was released and on a quarterly basis thereafter until findings have been rectified.
Senate Bill 617 would have required that audits and reports done by the OLA be accessible on the website of state government agencies within 30 days of the reports. It also required that agencies with five or more repeat audit findings make available their reports on actions taken to address audit findings.
House Chair Guy Guzzone, D-Howard, proposed that “automatic language” be established for the Department of Legislative Services to include agencies’ repeat audit findings in its recommendations to House and Senate budget committees. This would allow the committees and subcommittees to take into account repeat findings when reviewing agency budgets.
“If in those times where there are repeat findings, [there’s] the chance for subcommittees and full committees to look at that kind of language and send messages where they feel appropriate,” Guzzone said.
Legislative analysts currently determine the severity of repeat findings and sometimes include them in their budget recommendations. Guzzone’s idea would standardize the practice so that repeat audit findings can be addressed every time.
Punishing agency administrators
Del. Galen Clagett, D-Frederick, suggested that the administrators and leadership of the agencies be held more accountable.
“If they are not corrected, the people who run the agencies should pay the penalty, not the people served by the agencies because we cut their budget.” Clagett said.
Clagett suggested that salary deductions and loss of tenure should be on the line for agency leaders when they repeatedly fail to correct problems.
Astle and Guzzone agreed with Clagett.
“The executive branch appoints them to do this job and if they are not doing the job then there ought be someway that we can take action,” Astle said.
Concern about punishing administrators
Sen. Richard Madaleno Jr., D-Montgomery, said that threatening the administrators might not be fair considering there could be mitigating circumstances preventing agencies from rectifying audit findings. He added that an administrator could be punished for audits that happened before he or she was on the job.
“I am always fearful when you put it into law, discretion goes away because you are trying to follow it,” Madaleno said. “We need to use our judgements and let our staff use their judgement as well”.
However, Astle said that if there is a circumstance that is hampering the agency’s compliance, the agency head should be transparent about it.
“The agency heads understand what these problems are and they should come out on the front side and say that ‘we have a problem here, and I want you to know that we got a problem, and I am going to need your help to address it,’” Astle said.
IT secretary defends agency on audit findings
As another part of its hearing Tuesday, the committee questioned the Department of Information Technology about its role in overseeing state agencies that host Personal Identifiable Information on agency-run IT systems. Maryland Reporter wrote about an audit released Oct. 9 that found DoIT had delegated its responsibility for enforcing compliance with the state’s information security policy to each individual state agency.
IT secretary Elliot Schlanger said that for one department to manage the computer security of all the state agencies was beyond the current capacity of his department..
Although Schlanger said his department was correcting four of the major findings in the report, it cannot change the delegation of IT security enforcement at this time.
“We have done a pretty good job so far,” Schlanger said. “We can not let our foot up off the pedal. We need to audit ourselves continuously. In the end, there is no system that can claim that we are free from potential cyber attack or breach.”