The Colorado Office of Information Technology has run out of time to implement recommendations made five years ago by the state auditor, members of the Colorado Legislative Audit Committee said last week while discussing the findings of an annual report.
The report found that of 240 recommendations made by auditors dating back to 2014, OIT had still failed to fulfill 44 as of June 30, more than any other government agency, including nine that are considered “high-priority,” leading to exasperated comments from lawmakers wondering why the agency’s taken so long to make recommended changes.
“We’re sitting here looking at a revised deadline that will have been missed for three years come this January, and that’s not even the original deadline,” State Sen. Paul Lundeen said.
Many of currently unfulfilled recommendations are expected to be completed by the end of the year, Brandi Simmons, OIT’s communications director, told StateScoop. Simmons declined to specify what the overdue recommendations are, but said the majority are “tied to major system replacements or implementations” that could take time to meet state policy requirements.
Colorado OIT is permitted to set its own deadlines for satisfying audit recommendations, but has pushed back those deadlines twice over the last four years. Members of the state auditor’s office said extra time could be necessary for implementing recommendations that could alter large IT projects. But lawmakers say OIT already takes that additional time into consideration when setting deadlines.
“Every time I’ve seen an audit recommendation, it seems that time is built in, and these [unfulfilled recommendations] are still significantly tardier than what we would expect given all of these exterior factors,” Sen. Jim Smallwood said.
Other lawmakers expressed worries that every year that OIT allows to go by without addressing its problems leaves the state at a greater risk for a cyberattack.
“Are we just putting the welcome mat out for hackers?” Sen. Lori Saine asked the auditor’s office.
Deputy State Auditor Matt Devlin declined to answer Saine’s question during the public portion of the hearing.
The auditor’s office doesn’t have the authority to enforce recommendations, but committee chair Nancy Todd said that she no longer want to give agencies incentives for addressing their recommendations; rather, she said, they just need to do them.
“I don’t want us to have to pay more for them to do the job that they should have done in the first place. The fact is that we’re crossing a point of saying, ‘This has had enough leeway and time given, time’s up,’” Todd said.
Colorado’s technology agency isn’t alone in being behind the curve of its fellow agencies. Chief technology and information officers in Washington and Oklahoma told StateScoop last year that IT agencies can easily play the scapegoat role in state government when they fail to meet the IT needs of all other agencies. Similarly, former South Dakota Chief Security Officer Jim Edman said last year that it’s hard to get money to agencies that often operate in the background of government operations.
“Nobody wants to pay more sales tax, more property tax, higher license fees for those sorts of things, so there has to be a give and take and a negotiation process,” Edman said at the time.
Simmons said that 35 recommendations are still unfulfilled by the agency as of November, all of which are tied to major system replacements or implementations.
“OIT takes audit recommendations very seriously and appreciates the opportunity to improve security for the systems under our purview,” she wrote in an email. “OIT has worked to steadily increase the cybersecurity budget over the past five years to create a more secure environment, resulting in fewer audit recommendations, and hastening the implementation of projects meant to resolve many of the outstanding findings”.