An audit is a systematic and objective examination that involves extensive review and analysis of various data, documentation, and processes. The OSA’s financial, performance, and IT audits provide solution-based recommendations that focus on reducing costs, increasing efficiency, promoting the achievement of legislative intent, improving the effectiveness of programs and the quality of services, ensuring transparency in government, and ensuring the accuracy and integrity of financial and other information that decision makers need to hold government agencies accountable for the use of public resources.
The OSA functions as the State’s independent external auditor. The Colorado Constitution and state statute grant the State Auditor broad authority to conduct performance, financial, and IT audits of all state departments and agencies, public colleges and universities, the Judicial Branch, most special purpose authorities, any entity designated as an enterprise, and other political subdivisions as required by law.
As a general rule, the State Auditor does not have the authority to audit local governments except for when an audit is specifically required by law. For example, Section 32-9-115(3), C.R.S., requires the State Auditor to conduct a performance audit of the Regional Transportation District at least every 5 years. Also, Section 2-3-123, C.R.S., requires the State Auditor to conduct performance audits in 2017, 2022, and 2027 of the gaming cities of Black Hawk, Central City, and Cripple Creek to ascertain how they are using their direct distributions of money from the State Historical Fund.
The State Auditor is authorized to access all accounts, records, or other data, including confidential data that are required to complete an audit. According to Section 2-3-107(2)(a), C.R.S., the State Auditor or designated representative “shall have access at all times…to all of the books, accounts, reports, vouchers, or other records or information in any department, institution, or agency.” This right of access includes “records or information required to be kept confidential or exempt from public disclosure upon subpoena, search warrant, discovery proceedings, or otherwise.” When accessing confidential health records, statute requires the State Auditor to determine whether the information is necessary to achieve the audit objectives. In addition to the State Auditor’s right of access, Section 2-3-107(1), C.R.S., grants the Legislative Audit Committee the power to subpoena witnesses, documents, and records, and to take testimony under oath.
The OSA follows Government Auditing Standards, which require that the audit organization and the individual auditor be independent in all matters relating to the audit work. The Colorado Constitution establishes the State Auditor as a nonpartisan position within the Legislative Branch so that it is organizationally separate from and independent of the Executive and Judicial Branch agencies that it audits. Each year, the OSA requires all of its employees to sign an Affidavit of Independence disclosing any known or potential threats to their independence. Any threats to auditor independence are analyzed for their significance and safeguards are put in place to eliminate or mitigate the threats. The OSA also requires the private firms with which it contracts for audit services to affirm their independence with respect to any engagement conducted on behalf of the OSA.
The overall purpose of the OSA’s financial, performance, and IT audits is to ensure government accountability for the use of public funds. However, these audits differ in their purpose and objectives. The financial audit covers the State of Colorado's financial statements and large federally-funded programs.
• Financial audits determine whether the State’s financial information is fairly presented, in all material respects, and that agencies receiving federal grants are complying with applicable grant requirements.
• Performance audits can cover a state department, program, revenue stream, or other areas that encompass several departments. Performance audits determine whether programs are operated in an effective and efficient manner to accomplish their intended goals and in compliance with laws and regulations.
• IT audits focus on critical state information systems. IT audits determine the design and effectiveness of controls over critical state information systems to help ensure the confidentiality, integrity, and availability of these systems and data. IT audit work is performed under the State's annual financial audit and as separate, risk-based performance audits.
In addition to conducting performance, financial, and IT audits, the OSA carries out the following major statutory responsibilities:
• Conducts evaluations of all state tax expenditures on a 5-year cycle [Section 39-21-305(1)(d), C.R.S.]. These evaluations look at several statutorily-required factors related to tax expenditures, such as whether they are meeting their intended purpose, their economic impact to the State, and whether other states offer similar types of expenditures.
• Monitors local governments for compliance with the Local Government Audit Law [Section 29-1-601, et seq., C.R.S.]. Statute requires every local government in the state to undergo an annual financial audit conducted by an independent certified public accountant and to submit the resulting audit report to the State Auditor, with exemptions available for small governments. The State Auditor is required to review local governments’ audit reports to determine compliance with governmental accounting standards and other requirements and to approve the applications for exemption.
• Administers a statewide fraud reporting hotline [Section 2-3110.5, C.R.S.]. The OSA’s Fraud Hotline receives reports about allegations of occupational fraud by state employees or state contractors. The OSA is responsible for the screening and referral of Hotline calls to affected state agencies, and in some circumstances, investigating fraud allegations.
The OSA’s work plan is determined by three factors:
• Statutory or other legal requirements.
• Requests from members of the General Assembly or the Governor that are approved by the Legislative Audit Committee.
• The State Auditor’s discretion based on risk, audit coverage, and other considerations.
In Fiscal Year 2020, 82 audits (89%) were conducted in response to statutory or other legal requirements, seven audits (8%) were conducted in response to legislative requests, and three audits (3%) were discretionary audits.
Yes. The State Auditor receives audit requests from many different sources, including legislators, state agencies, and private citizens.
Section 2-3-108, C.R.S., requires the Legislative Audit Committee (Committee) to approve any audit requests from members of the General Assembly or the Governor. According to the Committee’s rules, the audit request must be made on the letterhead of, and signed by, the member of the General Assembly or the Governor, as applicable, and submitted to the State Auditor. When a legislative or gubernatorial audit request is received, the State Auditor first seeks approval from the Committee to conduct initial research on the request. This research helps the OSA better understand the reasons for the request and evaluate the feasibility of an audit. Once the initial research is complete, the State Auditor issues a memo to the Committee that outlines the proposed focus of the audit, if an audit is feasible. A majority of the Committee members must vote to proceed with the request before the OSA puts the audit on its work plan for assignment to an available audit team.
Audit requests from members of the public, state agencies, and others are performed at the sole discretion of the State Auditor based on an evaluation of several factors, such as whether the OSA has jurisdiction over the matter, the feasibility of an audit, staffing and resource considerations, and risk and coverage. Audit requests should be made by submitting a letter or email to the State Auditor stating specific details about the problem or concern giving rise to the request; the program, function, or activity that would be the focus of the audit; and the requester’s contact information.
The OSA conducts its audits in accordance with Government Auditing Standards (commonly referred to as generally accepted government auditing standards, GAGAS, or the Yellow Book) promulgated by the U.S. Comptroller General. These professional standards provide a framework for performing high-quality audit work and address every aspect of an audit, including planning the audit, ensuring the independence and competence of the audit staff who work on the audit, gathering sufficient and appropriate evidence, and reporting on the audit’s findings, conclusions, and recommendations. Financial audits are also conducted in accordance with the American Institute of Certified Public Accountants (AICPA) Auditing Standards and the federal Uniform Grant Guidance and Compliance Supplement.
Although each audit is unique, the OSA’s audits generally have three phases—planning, fieldwork, and reporting. During the planning phase of the audit, the audit team works to gain an understanding of the agency’s or program’s activities, assess risks, and make decisions about the scope and objectives of the audit. The audit team also develops procedures that will help guide the work during the fieldwork phase of the audit. Typically, during the fieldwork phase, audit teams perform detailed data analysis and review of source documentation, interview agency personnel and others, and conduct site visits or make physical observations. The goal of the fieldwork phase is to gather evidence that is sufficient, valid, and reliable on which to formulate our findings, conclusions, and recommendations. During the reporting phase of the audit, the audit team prepares a report whose purpose is to communicate the audit’s findings, conclusions, and recommendations to the agency, the General Assembly, others who may be charged with governance, and the public. Once the audit report is finalized, it is made public and discussed during a hearing of the Legislative Audit Committee.
Many factors affect audit timeframes, including the scope and complexity of the audit, staffing resources, and the availability of agency documents, data, and personnel. The OSA’s performance audits typically take about 9 to 11 months to complete. The OSA’s annual statewide financial audit, which is performed on an annual basis, takes about 12 months to complete.
Yes. Every phase of the audit, from the entrance conference until the finalization of the audit report, involves interaction with and input from the audited agency. Input from the audited agency is an important part of ensuring that the audit is fair, complete, and objective. Additionally, the OSA provides a draft audit report for review and comment by the agency before the report is finalized and distributed to the Legislative Audit Committee or released to the public. During the review process, the agency provides the OSA with feedback on the findings, conclusions, recommendations, and report narrative, as well as technical corrections. The agency’s formal written response to each audit recommendation is included in the final audit report, along with the agency’s planned action and implementation date.
The OSA’s overall system of quality control relies on a number of different factors to ensure high-quality work that can be trusted and relied upon. As a foundation for the OSA’s system of quality control, written policies and procedures are communicated to all staff and set expectations for all aspects of an audit, including compliance with independence, legal, and ethical requirements; adherence to auditing standards; and internal and external monitoring. For example, the OSA requires supervisory review of all audit work performed. Audit findings and reports are reviewed at multiple levels in the organization, up to and including the Deputy State Auditor and the State Auditor. The auditors also rely on the audited agency’s review of the audit findings and reports as a quality control check on the work. Prior to printing, the final report undergoes an independent review that verifies all numbers, dates, and legal references in the report back to the supporting audit workpapers. On an annual basis, an internal review team examines workpapers for a sample of audits completed during the year to assess compliance with internal policies and procedures. Finally, the OSA undergoes an external peer review every 3 years by a team of auditors from other states and the federal government to assess compliance with Government Auditing Standards, AICPA Auditing Standards, and the federal Uniform Grant Guidance and Compliance Supplement.
No. Section 2-3-103(3), C.R.S., states that all of the OSA’s workpapers are confidential and not open for public inspection unless specifically approved for disclosure by a majority vote of the members of the Legislative Audit Committee. However, statutes do not permit the public release of any information that is required to be kept confidential under other federal or state laws. The Legislative Audit Committee has never voted to make any audit workpapers public.
The OSA follows rigorous auditing standards, which require auditors to base their conclusions, findings, and recommendations on evidence that is sufficient, valid, and reliable. As such, the OSA cannot accept information and data from agencies on face value. Auditors must approach the evidence obtained during an audit with professional skepticism and perform procedures, such as reviewing supporting documentation, making observations, and analyzing data, to independently verify or corroborate the validity and reliability of all source evidence relied upon during an audit. When certain evidence is unavailable, unreliable, or cannot be validated, auditors must adjust their work to gather new or different evidence, change or limit the scope of the audit objectives, or modify their conclusions. Limitations in the audit evidence may also be reported in the audit report as a finding or scope limitation. This critical assessment of agencies’ data and information helps ensure that the OSA’s findings, conclusions, and recommendations are objective, fact-based, nonpartisan, and nonideological.
On some audits, the OSA does not rely on sampling techniques at all because the audit team is able to use specialized software to analyze the entire population of agency records. However, many agency records exist only in hard copy format, or the electronic records are not structured in a manner that will allow for a full population analysis. In addition, for financial audits, auditor often use sampling to test an agency's internal controls in key areas in order to assess risk areas and plan further testing. In these situations, auditors must rely on sampling to gather information about the agency’s operations and activities and assess whether problems exist. Also, it is often more cost-effective for auditors to use sampling methods in place of performing more time-consuming procedures, such as verifying individual expenditure transactions back to the underlying supporting documentation, only for a sample of items. If statistical sampling is used, auditors may project the sample results back to the population. Auditing standards allow both nonstatistical and statistical sampling methods to be used.
In addition to hiring and promoting qualified personnel, the OSA maintains a commitment to ongoing professional development and learning. All audit staff assigned to audits must complete a total of 80 hours of continuing professional education every 2 years. For example, as of June 30, 2020, the OSA’s auditors possessed collectively more than 500 years of auditing experience. About 57 percent of the OSA's auditors hold advanced degrees, such as master’s degrees, law degrees, and doctoral degrees. Additionally, about 40 percent of the OSA’s auditors hold professional licenses and certifications, such as Certified Public Accountant, Certified Internal Auditor, Certified Information Systems Auditor, and Certified Fraud Examiner.
Yes, the OSA uses certified public accounting (CPA) firms, consulting firms, and other independent contractors to help fulfill its audit responsibilities. The OSA may contract for an entire audit or for certain portions of an audit to supplement the work being conducted by in-house audit staff. For example, the OSA contracts with CPA firms to conduct annual standalone financial and compliance audits of Colorado’s institutions of higher education. The OSA also contracts with firms to conduct standalone performance and IT audits, evaluations, or studies. Finally, the OSA may use a contractor when an audit requires work in an area of specialized technical skill or expertise (e.g., actuarial, appraisal, clinical/medical review, information security, investment, risk management).
Yes. Colorado’s Local Government Audit Law (Section 29-1-601, et seq., C.R.S.) requires every local government in the state to undergo an annual financial audit conducted by an independent certified public accountant and to submit the resulting audit report to the State Auditor. The State Auditor is required to review local governments’ audit reports to determine compliance with governmental accounting standards and other requirements. The Local Government Audit Law specifies that local governments with annual revenues or expenditures for any fiscal year that are not more than $750,000 may apply to the State Auditor for an exemption from audit.
The Legislative Audit Committee (Committee) plays a vital role in the overall audit process by publicly releasing each audit report prepared by the State Auditor. The Committee holds a public hearing on the audit report, during which the audit team discusses the audit findings, conclusions, and recommendations. The audited agency is also present at the hearing and discusses its responses to the audit recommendations and the actions it plans to take to improve operations. The Committee is not involved in the day-to-day conduct of audits or in the development of audit conclusions, findings, or the final report. However, the Committee must approve audit requests submitted by members of the General Assembly or the Governor before the OSA will undertake the audit. Legislative Audit Committee hearings generally occur every 2 weeks from January through March and every 6 to 8 weeks from June through December.
Sections 2-3-103(2) and 2-3-103.7(1), C.R.S., prohibit the public disclosure of information contained in any reports prepared by the State Auditor until the report is released by a majority vote of the Legislative Audit Committee (Committee). Until it is publicly released, the report remains a confidential document between the OSA and the agency being audited. This allows the audited agency the ability to review the report and discuss its contents, including any findings and recommendations, with the audit team before the report is finalized. The final report is distributed to the audited agency and the Committee in advance of each scheduled hearing. The report is only released to the public upon a majority vote of the Committee.
Due to the potential damage that could be caused by the misuse of the information if disclosed publicly, Government Auditing Standards allow for information that is prohibited from general disclosure by federal, state, or local laws or regulations and information considered sensitive in nature, such as detailed information related to information technology system security, to be omitted from public reports. In these circumstances, the OSA relies on other means of communicating the audit results to agency management and those charged with governance. For example, if the Legislative Audit Committee does not vote to release an audit report to the public, in order to limit disclosure of sensitive information, these reports would not be subject to public inspection and would always remain confidential. However, in these instances, it may be appropriate to issue both a limited use report and a publicly available report with the sensitive information excluded, or presented in a highly condensed or summarized form to allow for some public reporting of the audit information while still preserving the confidentiality of any related sensitive information.
No. All Legislative Audit Committee (Committee) hearings are open to the public and live audio of the hearing is broadcast via the Internet. However, unlike other legislative committees, taking public comment is not a function of Committee hearings because it is not a committee of reference. Rather, the purpose of Committee hearings is to provide a forum in which the audit team formally presents its conclusions, findings, and recommendations, and the agency responds to the audit recommendations.
The OSA’s audits, tax expenditure evaluations, and other work products provide policy makers with high-quality, objective information about the efficiency and effectiveness of state government operations. In some cases, the OSA recommends that the agency correct problems identified during its audit by working with the General Assembly to pursue statutory change. Agencies have the opportunity to request support from the Legislative Audit Committee in sponsoring legislation in response to audit findings. The tax expenditure evaluations include a policy consideration section that legislators use to discuss possible statutory changes.
Yes. The OSA has several processes for following up on agencies’ actions in response to audit recommendations. First, the OSA and its contractors perform audit work to follow up on all financial audit recommendations, including IT-related financial audit recommendations. Each financial audit reports on the implementation status of all prior year audit recommendations. In some cases, unimplemented recommendations may result in a new current year audit recommendation. Second, for performance and IT audits, the OSA requests that agencies provide a status report approximately 6 months to 1 year after release of the audit report to describe actions taken on each recommendation. The OSA reviews the status reports and relevant supporting documentation to verify the agency's reported implementation status, and audit staff and agency personnel appear before the Legislative Audit Committee to discuss the agency’s status report. Finally, the OSA issues an Annual Report on the Status of Audit Recommendations Not Fully Implemented, which compiles and summarizes the implementation status for all financial, performance, and IT audit recommendations made during a rolling 5-year period. This report provides policy makers and the public with information about agencies’ progress toward implementing audit recommendations over time.
Yes. The OSA undergoes an independent, external peer review every 3 years. The peer review is conducted by a team of experienced individuals from audit organizations in other states as part of the National State Auditors Association’s Peer Review Program. During the peer review, members of the review team examine the OSA’s policies and procedures, interview audit staff, and review audit workpapers for a cross-section of the OSA’s audits. At the end of the review, the team issues an opinion on whether the OSA’s system of quality control provides reasonable assurance that it is complying with Government Auditing Standards, AICPA Auditing Standards, and the federal Uniform Grant Guidance and Compliance Supplement when conducting audits. The OSA’s most recent Peer Review Report is available on the OSA’s website—the OSA received a “Pass” rating, which is the highest level of assurance provided by a peer review team.
The OSA's financial activities are also audited as part of the Legislative Branch's annual financial audit.