Nearly 100 recommendations from Colorado’s audit office have yet to be implemented

High priority issues include security of state-managed data, mismanagement of the Medicaid program

By: - January 15, 2021 11:13 am

The Colorado State Capitol in Denver is pictured on June 11, 2020. (Andy Bosselman for Colorado Newsline)

Every year, Colorado’s independent audit office issues hundreds of requests to state agencies who are out of compliance with state or federal laws. But year after year, agencies blow past their set deadlines to resolve the issues.

Colorado’s Office of the State Auditor submitted 1,516 recommendations to state agencies between July 2014 and June 2019, according to a 106-page annual report released in December. Although auditees agreed to implement 98% of them, as of June 30, 2020, 95 recommendations have yet to be implemented — 35 of which are considered high priority due to their seriousness or because they have gone unaddressed for over three years. 

Some of the most egregious issues that have gone unaddressed relate to security of state-managed data, mismanagement of the state’s Medicaid program, and lack of oversight for behavioral health programs in state prisons.


“Overall, agencies are doing a good job at implementing their audit recommendations in a timely way,” said Jenny Page, an audit manager in the OSA who oversaw the annual report. “But there are some agencies that have struggled implementing them for a variety of reasons.” 

“Overall, agencies are doing a good job at implementing their audit recommendations in a timely way. But there are some agencies that have struggled implementing them for a variety of reasons.” – Jenny Page, an audit manager in the Colorado Office of the State Auditor. 

Three Colorado state agencies make up 69% of the high priority recommendations that have yet to be fully implemented: the governor’s office, the Department of Health Care Policy and Financing and the Department of Corrections.

The annual report was presented to the Legislative Audit Committee on Dec. 7, three days after lawmakers adjourned from a special four-day legislative session. Agencies are required to outline what additional progress they’ve made to implement the recommendations to lawmakers during committee hearings scheduled throughout January and February.

“We present the annual report to all legislators so that they have this information, and then really, it’s left in their hand to hold the agencies responsible in their oversight role,” Page said. “If there have been some delays they try and figure out why and if there needs to be some type of legislative change to help with implementation.”

Information technology office has had issues outstanding since 2013

Over the five year period, the OSA submitted 304 recommendations to the governor’s office — 90 from financial audits and 214 from performance audits, according to the annual report. As of June 30, 40 remained unimplemented, six of which are considered high priority. 

The majority of the recommendations relate to the Governor’s Office of Information Technology, which oversees technology and information systems for all of the state agencies. Since many of the recommendations relate to information security issues or vulnerabilities in IT systems, the majority of them remain sealed from public view and are only outlined in a confidential report sent directly to the OIT.

Gov. Jared Polis talks about Colorado’s Behavioral Health Task force during a press conference on Sept. 23, 2020. (Moe Clark/Colorado Newsline)

“They’re so confidential that none of our staff even get to see them,” said Page, who has been with the OSA since 2001. “There was a closed confidential hearing with the Legislative Audit Committee back in 2017 for them to hear those recommendations, but none of our staff can attend those and we don’t have access to the report.”

Brandi Simmons, a spokeswoman for the OIT, said that the department is making progress implementing the confidential recommendations that are outstanding. 

“In just the past year, we implemented 73% of the outstanding OSA audit findings,” Simmons said in a written statement. “We went from 13 significant deficiencies in 2019 to 7 significant deficiencies in 2020.”

Two of the five high priority recommendations relate to the state’s primary information system for processing taxes collected by the state. The recommendations were outlined in a classified report, according to a 2019 audit

Simmons said that part of the recommendations that remain outstanding relate to database monitoring. “Options are currently being evaluated and are expected to be implemented in February 2021,” she said. 

Two other recommendations relate to the physical security of the state’s data center, where the OIT manages servers and computers for various state agencies, according to a 2017 audit report. The audit report identified “several problems” related to physical security and access management to the data center. 

“Ultimately, if physical access to the data center, and the systems and data within it, are not managed properly, it could adversely impact the accuracy and completeness of information relevant to the State’s financial reporting activities,” the auditors said in the 2017 report.

Simmons said in a written statement that the OIT believes the level of risk related to these recommendations are low and that they relate to a lack of documented agreements between state agencies.

“Nevertheless, a Memorandum of Agreement (MOA) to document current data center roles and responsibilities is being drafted, and OIT will work with the appropriate agencies to ensure signoff,” Simmons said.

Another high priority recommendation relates to information security issues with the state’s unemployment benefits system, automated tax system and the Labor and Employment Applicant Resource. Simmons said the pandemic has slowed plans to resolve these issues. The original implementation date was set for June 2018. Now, it’s the end of next June.

“Progress on this work was impacted by the COVID-19 response and modernization efforts underway,” Simmons said. “However, the recommendation was implemented in two of the three systems.”

High priority issues related to state’s Medicaid program 

The Department of Health Care Policy and Financing, or HCPF, has 14 high priority recommendations pending – most of which are in the highest deficiency category and relate to the state’s Medicaid program, which provides health insurance for low-income people. The state program is partially federally-funded. 

“The audit team identified problems with HCPF ensuring that the people who should be eligible are getting Medicaid benefits, or if people who are not eligible are getting Medicaid benefits,” Page said. 

Another pending recommendation relates to how the department ensures that providers that give Medicaid services have the proper certification.

Two-month-old Karina receives drops of children’s Tylenol after getting a vaccination at Rocky Mountain Youth Clinics in 2009 in Aurora. Many of the clinic’s patients are on Medicaid. (John Moore/Getty Images)

The majority of the issues were identified in 2017 and were outlined in the 2019 audit report. During the audit, the OSA team looked at a random sample of 125 Medicaid cases and found 32 of them contained errors. 

Within the sample, the audit team identified $95,785 of unknown costs between July 1, 2018, and March 31, 2019. Using the sample, the team estimated that HCPF paid between $80 million and $486 million on behalf of people who were ineligible for the program during that time period. The audit team estimated that between 2% and 10% of the total number of people who received Medicaid benefits during that period were ineligible for the program.

“This does not result in specific over expenditures of the State’s General Fund or federal funds,” the auditors wrote in the report. “However, this calculation indicates that if we tested the entire population, there is a 90 percent likelihood of finding the true amount of questioned costs to be between $80,255,528 and $485,851,363 and would most likely be close to $283,053,446 in erroneous payments.”

Many of the issues raised in the audit report are classified as a “material weakness.” 

“The reason it’s called material is because it relates to the financial statements,” Page explained. “That means that there’s a possibility, a reasonable possibility, that the department’s financial statements can be materially misstated, or, it means that there’s some type of material non-compliance.”

Since the state audit report was compiled, HCPF reports that they have addressed four of their outstanding recommendations, including one related to how they manage financial reporting for the Medicaid program. HCPF provided the update to lawmakers during a Jan. 7 Joint Budget Committee hearing.

Issues at Corrections, first identified in 2016, relate to behavioral health services

Colorado’s Department of Corrections has four high priority OSA recommendations, all relating to behavioral health programs, which were first identified in a 2016 audit report. CDOC is responsible for administering mental health and substance abuse services and sex offender treatment for all inmates held in state correctional facilities.

The 2016 audit report found the department lacked “adequate processes and data to monitor staff for compliance with its regulations and standards to demonstrate the effectiveness of its Mental Health Services Program and the Sex Offender Treatment and Monitoring Program.” The report also identified that the department did not use a risk-based approach to prioritize offenders for enrollment in the the sex offender program.

(Getty Images)

The recommendations made in the report were to improve how the department administered, tracked and determined eligibility for the programs. CDOC agreed to all of the recommendations and had stated that the recommendations would be implemented between March 2017 and December 2018.

“The four remaining audit recommendations are dependent upon the completion of the development of a new database system,” Annie Skinner, a CDOC spokeswoman, said in an email.’ The department has been working with the Colorado Office of Information and Technology for the last several years on the creation of this new system, and once it is completed, CDOC will be able to move forward with those recommendations.” 


Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.

Moe Clark
Moe Clark

Moe Clark is a former Colorado Newsline reporter that covered criminal justice, housing and homelessness, and other social issues.