An audit is a systematic and objective examination that involves extensive review and analysis of various data, documentation, and processes. Audits provide essential accountability and transparency over government programs. The OSA’s financial, performance, and IT audits provide solution-based recommendations that focus on reducing costs, increasing efficiency, promoting the achievement of legislative intent, improving the effectiveness of programs and the quality of services, ensuring transparency in government, and ensuring the accuracy and integrity of financial and other information that decision makers need to hold government agencies accountable for the use of public resources.
The OSA functions as the State’s independent external auditor. The Colorado Constitution and state statute grant the State Auditor broad authority to conduct performance, financial, and IT audits of all state departments and agencies, public colleges and universities, the Judicial Branch, most special purpose authorities, any entity designated as an enterprise, and other political subdivisions as required by law.
The OSA’s work plan is determined by three factors. First, we complete audits in response to statutory or other legal requirements. Second, we complete audits in response to requests from members of the General Assembly or the Governor that are approved by the Legislative Audit Committee. Third, we complete audits at the State Auditor’s discretion based on risk, audit coverage, and other considerations.
The OSA conducts its audits in accordance with Government Auditing Standards (commonly referred to as generally accepted government auditing standards, GAGAS, or the Yellow Book) promulgated by the U.S. Comptroller General. These professional standards provide a framework for performing high-quality audit work and address every aspect of an audit, including planning the audit, ensuring the independence and competence of the audit staff who work on the audit, gathering sufficient and appropriate evidence, and reporting on the audit’s findings, conclusions, and recommendations.
The OSA follows Government Auditing Standards, which require that the audit organization and the individual auditor be independent in all matters relating to the audit work. The Colorado Constitution establishes the State Auditor as a nonpartisan position within the Legislative Branch so that it is organizationally separate from and independent of the Executive and Judicial Branch agencies that it audits. Each year, the OSA requires all of its employees to sign an Affidavit of Independence disclosing any known or potential threats to their independence. Any threats to auditor independence are analyzed for their significance and safeguards are put in place to eliminate or mitigate the threats. The OSA also requires the private firms with which it contracts for audit services to affirm their independence with respect to any engagement conducted on behalf of the OSA.
The overall purpose of the OSA’s financial, performance, and IT audits is to ensure government accountability for the use of public funds. However, these audits differ in their purpose and objectives. Financial audits determine whether the State’s financial information is fairly and materially stated and that agencies receiving federal grants are complying with applicable grant requirements. Performance audits determine whether programs are operated in an effective and efficient manner to accomplish their intended goals and in compliance with laws and regulations. IT audits determine the effectiveness of controls over critical state information systems to help ensure the confidentiality, integrity, and availability of these systems and the data they store.
The State Auditor is authorized to access all accounts, records, or other data, including confidential data that are required to complete an audit. According to Section 2-3-107(2)(a), C.R.S., the State Auditor or designated representative “shall have access at all times…to all of the books, accounts, reports, vouchers, or other records or information in any department, institution, or agency.” This right of access includes “records or information required to be kept confidential or exempt from public disclosure upon subpoena, search warrant, discovery proceedings, or otherwise.” When accessing confidential health records, statute requires the State Auditor to determine whether the information is necessary to achieve the audit objectives. In addition to the State Auditor’s right of access, Section 2-3-107(1), C.R.S., grants the Legislative Audit Committee the power to subpoena witnesses, documents, and records, and to take testimony under oath.
Yes. The State Auditor receives audit requests from many different sources, including legislators, state agencies, and private citizens.
Section 2-3-108, C.R.S., requires the Legislative Audit Committee (Committee) to approve any audit requests from members of the General Assembly or the Governor. According to the Committee’s rules, the audit request must be made on the letterhead of, and signed by, the member of the General Assembly or the Governor, as applicable, and submitted to the State Auditor. When a legislative or gubernatorial audit request is received, the State Auditor first seeks approval from the Committee to conduct initial research on the request. This research helps the OSA better understand the reasons for the request and evaluate the feasibility of an audit. Once the initial research is complete, the State Auditor issues a memo to the Committee that outlines the proposed focus of the audit, if an audit is feasible. A majority of the Committee members must vote to proceed with the request before the OSA puts the audit on its work plan for assignment to an available audit team.
Audit requests from members of the public, state agencies, and others are performed at the sole discretion of the State Auditor based on an evaluation of several factors, such as whether the OSA has jurisdiction over the matter, the feasibility of an audit, staffing and resource considerations, and risk and coverage. Audit requests should be made by submitting a letter or email to the State Auditor stating specific details about the problem or concern giving rise to the request; the program, function, or activity that would be the focus of the audit; and the requester’s contact information.
Many factors affect audit timeframes, including the scope and complexity of the audit, staffing resources, and the availability of agency documents, data, and personnel. The OSA’s performance audits typically take about 9 to 11 months to complete. The OSA’s annual statewide financial audit, which is performed on an annual basis, takes about 12 months to complete.
Although each audit is unique, the OSA’s audits generally have three phases—planning, fieldwork, and reporting. During the planning phase of the audit, the audit team works to gain an understanding of the agency’s or program’s activities, assess risks, and make decisions about the scope and objectives of the audit. The audit team also develops procedures that will help guide our work during the fieldwork phase of the audit. Typically, during the fieldwork phase, audit teams perform detailed data analysis and review of source documentation, interview agency personnel and others, and conduct site visits or make physical observations. The goal of the fieldwork phase is to gather evidence that is sufficient, valid, and reliable on which to formulate our findings, conclusions, and recommendations. During the reporting phase of the audit, the audit team prepares a report whose purpose is to communicate the audit’s findings, conclusions, and recommendations to the agency, the General Assembly, others who may be charged with governance, and the public. Once the audit report is finalized, it is made public and discussed during a hearing of the Legislative Audit Committee.
Yes. Every phase of the audit, from the entrance conference until the finalization of the audit report, involves interaction with and input from the audited agency. Input from the audited agency is an important part of ensuring that the audit is fair, complete, and objective. Most importantly, the OSA provides a draft audit report for review and comment by the agency before the report is finalized and distributed to the Legislative Audit Committee or released to the public. During the review process, the agency provides the OSA with feedback on the findings, conclusions, and recommendations, as well as technical corrections and other changes to the report narrative. The agency’s formal written response to each audit recommendation is included in the final audit report, along with the agency’s planned action and implementation date.
The OSA’s overall system of quality control relies on a number of different factors to ensure that we provide high-quality work that can be trusted and relied upon. As a foundation for the OSA’s system of quality control, we have written policies and procedures that are communicated to all staff and set expectations for all aspects of an audit, including compliance with independence, legal, and ethical requirements; adherence to auditing standards; and internal and external monitoring. For example, the OSA requires supervisory review of all audit work performed. Audit findings and reports are reviewed at multiple levels in the organization, up to and including the Deputy State Auditor and the State Auditor. We also rely on the audited agency’s review of the audit findings and reports as a quality control check on the work. Prior to printing, the final report undergoes an independent review that verifies all numbers, dates, and legal references in the report back to the supporting audit workpapers. On an annual basis, an internal review team examines workpapers for a sample of audits completed during the year to assess compliance with internal policies and procedures. Finally, the OSA undergoes an external peer review every 3 years by a team of auditors from other states and the federal government to assess compliance with Government Auditing Standards.
No. Section 2-3-103(3), C.R.S., states that all of the OSA’s workpapers are confidential and not open for public inspection unless specifically approved for disclosure by a majority vote of the members of the Legislative Audit Committee. However, statutes do not permit the public release of any information that is required to be kept confidential under other federal or state laws. The Legislative Audit Committee has never voted to make any audit workpapers public.
The OSA follows rigorous auditing standards, which require auditors to base their conclusions, findings, and recommendations on evidence that is sufficient, valid, and reliable. As such, the OSA cannot accept information and data from agencies on face value. Auditors must approach the evidence obtained during an audit with professional skepticism and perform procedures, such as reviewing supporting documentation, making observations, and analyzing data, to independently verify or corroborate the validity and reliability of all source evidence we rely on during an audit. When certain evidence is unavailable, unreliable, or cannot be validated, auditors must adjust their work to gather new or different evidence, change or limit the scope of the audit objectives, or modify their conclusions. Limitations in the audit evidence may also be reported in the audit report as a finding or scope limitation. This critical assessment of agencies’ data and information helps ensure that the OSA’s findings, conclusions, and recommendations are objective, fact-based, nonpartisan, and nonideological.
In addition to hiring and promoting qualified personnel, the OSA maintains a commitment to ongoing professional development and learning. All audit staff assigned to audits must complete a total of 80 hours of continuing professional education every 2 years. For example, as of June 30, 2018, the OSA’s auditors possessed collectively more than 450 years of auditing experience. The OSA’s auditors are highly educated; many hold advanced degrees, such as master’s degrees, law degrees, and doctoral degrees. Additionally, about 42 percent of the OSA’s auditors hold professional licenses and certifications, such as Certified Public Accountant, Certified Internal Auditor, Certified Information Systems Auditor, and Certified Fraud Examiner.
Yes, the OSA uses certified public accounting (CPA) firms, consulting firms, and other independent contractors to help fulfill its audit responsibilities. The OSA may contract for an entire audit or for certain portions of an audit to supplement the work being conducted by in-house audit staff. For example, the OSA contracts with CPA firms to conduct annual standalone financial and compliance audits of Colorado’s institutions of higher education. The OSA also contracts with firms to conduct standalone performance and IT audits, evaluations, or studies. Finally, the OSA may use a contractor when an audit requires work in an area of specialized technical skill or expertise (e.g., actuarial, appraisal, clinical/medical review, information security, investment, risk management).
On some audits, the OSA doesn’t rely on sampling techniques at all because the audit team is able to use specialized software to analyze the entire population of agency records. However, many agency records exist only in hard copy format, or the electronic records are not structured in a manner that will allow for a full population analysis. In these situations, auditors must rely on sampling to gather information about the agency’s operations and activities and assess whether problems exist. Also, it is often more cost-effective for auditors to perform time-consuming procedures, such as verifying individual expenditure transactions back to the underlying supporting documentation, only for a sample of items. If statistical sampling is used, we may project the sample results back to the population.
As a general rule, the State Auditor does not have the authority to audit local governments except for when an audit is specifically required by law. For example, Section 32-9-115(3), C.R.S., requires the State Auditor to conduct a performance audit of the Regional Transportation District at least every 5 years. Also, Section 2-3-123, C.R.S., requires the State Auditor to conduct performance audits in 2017, 2022, and 2027 of the gaming cities of Black Hawk, Central City, and Cripple Creek to ascertain how they are using their direct distributions of money from the State Historical Fund.
Yes. Colorado’s Local Government Audit Law (Section 29-1-601, et seq., C.R.S.) requires every local government in the state to undergo an annual financial audit conducted by an independent certified public accountant and to submit the resulting audit report to the State Auditor. The State Auditor is required to review local governments’ audit reports to determine compliance with governmental accounting standards and other requirements. The Local Government Audit Law specifies that local governments with annual revenues and expenditures each less than $750,000 may apply for an exemption from audit, which must be approved by the State Auditor.
The Legislative Audit Committee (Committee) plays a vital role in the overall audit process by publicly releasing each audit report prepared by the State Auditor. The Committee holds a public hearing on the audit report, during which the audit team discusses the audit findings, conclusions, and recommendations. The audited agency is also present at the hearing and discusses its responses to the audit recommendations and the actions it plans to take to improve operations. The Committee is not involved in the day-to-day conduct of audits or in the development of audit conclusions, findings, or the final report. However, the Committee must approve audit requests submitted by members of the General Assembly or the Governor before the OSA will undertake the audit. Legislative Audit Committee hearings generally occur every 2 weeks from January through March and every 6 to 8 weeks from June through December.
Sections 2-3-103(2) and 2-3-103.7(1), C.R.S., prohibit the public disclosure of information contained in any reports prepared by the State Auditor until the report is released by a majority vote of the Legislative Audit Committee (Committee). Until it is publicly released, the report remains a confidential document between the OSA and the agency being audited. This allows the audited agency the ability to review the report and discuss its contents, including any findings and recommendations, with the audit team before the report is finalized. The final report is distributed to the audited agency and the Committee in advance of each scheduled hearing. The report is only released to the public upon a majority vote of the Committee.
No. All Legislative Audit Committee (Committee) hearings are open to the public and live audio of the hearing is broadcast via the Internet. However, unlike other legislative committees, taking public comment is not a function of Committee hearings because it is not a committee of reference. Rather, the purpose of Committee hearings is to provide a forum in which the audit team formally presents its conclusions, findings, and recommendations, and the agency responds to the audit recommendations.
The OSA’s audits and other work products provide policy makers with high-quality, objective information about the efficiency and effectiveness of state government operations. In some cases, the OSA recommends that the agency correct problems identified during its audit by working with the General Assembly to pursue statutory change. Agencies have the opportunity to request support from the Legislative Audit Committee in sponsoring legislation in response to audit findings.
Yes. The OSA has several processes for following up on agencies’ actions in response to audit recommendations. First, the OSA and its contractors perform audit work to follow up on all financial audit recommendations. Each financial audit reports on the implementation status of all prior year audit recommendations. In some cases, unimplemented recommendations may result in a new current year audit recommendation. Second, for performance and IT audits, the OSA requests that agencies provide status reports describing actions taken on each recommendation since the audit report was originally released. The OSA reviews the status reports and relevant supporting documentation to verify the agency's reported implementation status, and audit staff and agency personnel appear before the Legislative Audit Committee to discuss the agency’s status report. Finally, the OSA issues an Annual Report on the Status of Outstanding Audit Recommendations, which compiles and summarizes the implementation status for all performance, financial, and IT audit recommendations made during a rolling 5-year period. This report provides policy makers and the public with information about agencies’ progress toward implementing audit recommendations.
Yes. The OSA undergoes an independent, external peer review every 3 years. The peer review is conducted by a team of experienced individuals from audit organizations in other states as part of the National State Auditors Association’s Peer Review Program. During the peer review, members of the review team examine the OSA’s policies and procedures, interview audit staff, and review audit workpapers for a cross-section of the OSA’s audits. At the end of the review, the team issues an opinion on whether the OSA’s system of quality control provides reasonable assurance that it is complying with Government Auditing Standards when conducting audits. The OSA’s most recent Peer Review Report is available on the OSA’s website—the OSA received a “Pass” rating, which is the highest level of assurance provided by a peer review team.