Lawmakers debate repeat audit offenders

ANNAPOLIS — Tired of auditors finding the same problems in state agencies over and over again, legislators on the Joint Audit Committee are kicking around proposals that would put some teeth in the law and force agencies fix the problems auditors found.

Sen. Richard Madaleno Jr. said that threatening the administrators might not be fair considering there could be mitigating circumstances preventing agencies from rectifying audit findings.

“I have been on this committee for a long time,” Sen. John Astle, D-Anne Arundel, said during a Tuesday hearing. “I have seen a number of these repeat violations come back and the auditors come back. The agencies haven’t dealt with them, and then we come back another year and they still haven’t dealt with them.”

Tackling this issue is not new to the committee. Four bills were introduced during last year’s General Assembly session that dealt with the issue, but none of them got out of committee.

House Bill 843 would have required a 5 percent cut to an agency’s budget when there are three or more repeat findings. House Bill 1473 stated that agencies with two or more repeat findings must report to the Office of Legislative Audits nine months after the audit report was released and on a quarterly basis thereafter until findings have been rectified.

Senate Bill 617 would have required that audits and reports done by the OLA be accessible on the website of state government agencies within 30 days of the reports. It also required that agencies with five or more repeat audit findings make available their reports on actions taken to address audit findings.

House Chair Guy Guzzone, D-Howard, proposed that “automatic language” be established for the Department of Legislative Services to include agencies’ repeat audit findings in its recommendations to House and Senate budget committees. This would allow the committees and subcommittees to take into account repeat findings when reviewing agency budgets.

“If in those times where there are repeat findings, [there’s] the chance for subcommittees and full committees to look at that kind of language and send messages where they feel appropriate,” Guzzone said.

Legislative analysts currently determine the severity of repeat findings and sometimes include them in their budget recommendations. Guzzone’s idea would standardize the practice so that repeat audit findings can be addressed every time.

Del. Galen Clagett, D-Frederick, suggested that the administrators and leadership of the agencies be held more accountable.

“If they are not corrected, the people who run the agencies should pay the penalty, not the people served by the agencies because we cut their budget,” Clagett said.

Clagett suggested that salary deductions and loss of tenure should be on the line for agency leaders when they repeatedly fail to correct problems.

Astle and Guzzone agreed with Clagett.

“The executive branch appoints them to do this job, and if they are not doing the job then there ought to be some way that we can take action,” Astle said.

Sen. Richard Madaleno Jr., D-Montgomery, said that threatening the administrators might not be fair considering there could be mitigating circumstances preventing agencies from rectifying audit findings. He added that an administrator could be punished for audits that happened before he or she was on the job.

“I am always fearful when you put it into law, discretion goes away because you are trying to follow it,” Madaleno said. “We need to use our judgments and let our staff use their judgment as well”.

However, Astle said that if there is a circumstance that is hampering the agency’s compliance, the agency head should be transparent about it.

“The agency heads understand what these problems are and they should come out on the front side and say that ‘we have a problem here, and I want you to know that we got a problem, and I am going to need your help to address it,’” Astle said.

As another part of its hearing Tuesday, the committee questioned the Department of Information Technology about its role in overseeing state agencies that host Personal Identifiable Information on agency-run IT systems. An audit released Oct. 9 found DoIT had delegated its responsibility for enforcing compliance with the state’s information security policy to each individual state agency.

IT secretary Elliot Schlanger said that for one department to manage the computer security of all the state agencies was beyond the capacity of his department.

Although Schlanger said his department was correcting four of the major findings in the report, it cannot change the delegation of IT security enforcement at this time.

“We have done a pretty good job so far,” Schlanger said. “We cannot let our foot up off the pedal. We need to audit ourselves continuously. In the end, there is no system that can claim that we are free from potential cyber attack or breach.”


Leave a Reply

Your email address will not be published. Required fields are marked *