- Office of the State Auditor
- Bureau of Special Investigations
- Division of Local Mandates
Boston — As prepared for delivery.
Good morning, Chairman Rodrigues, Chairman Michlewitz, and members of the committees. Thank you for the opportunity to speak with you today about the work of my office and my budget request for fiscal year 2023.
I want to start by thanking each of you for your partnership and action over the past year, including in allocating increased funding for the state-owned land payment-in-lieu-of-taxes program as recommended last year and providing funding to cover the costs associated with early voting. I hope to continue this positive relationship in the coming fiscal year.
FY22 was a productive year for the Office.
- Since we last gathered, my office has released fifty three audits, including ones that examined the proper use of CARES Act funds by higher education institutions; state agency adherence to required cybersecurity training; barriers to accessing public benefit programs; prudent spending of government resources; and opportunities for savings and efficiencies in MassHealth;
- We have released a major report from the Division of Local Mandates that examined the critical need for transportation investment in rural communities and the creation of a new public infrastructure agency dedicated to the construction or renovation of municipal and public safety buildings; and
- We are in the final stages of producing our annual benefits fraud report and our 5-year review of unfunded mandates.
I am also pleased to report that we have returned to our statewide offices in a hybrid fashion, which has its own inherent value in fostering collaboration amongst staff; and we have achieved 100% compliance with our COVID-19 policies in a sustained effort to keep our staff safe and healthy at work.
We take great pride in our efforts to make government work better and ask for your support to continue this work. For FY23, we are seeking what is essentially a maintenance of effort budget, with a modest increase of $1.1 million in existing line items and a plan to maintain current staffing levels.
Continued financial support from the legislature has helped our office become a recognized leader in government accountability - with three national awards last year - from the National Conference of State Legislatures, the National State Auditors Association, and the Association of Government Accountants. This continued financial support is increasingly important as my office conducts auditing of federal pandemic relief allocations. We know that the urgency of getting relief dollars into the hands of state and local governments, businesses, and individuals necessitated the lowering of some of the normal barriers that regulate eligibility for government contracting and relief programs. With that, it is already apparent that these historic federal relief programs have also been subject to “historic levels of fraud, waste, and abuse.” Those are the words of the Pandemic Response Accountability Committee, created by Congress and comprised of federal inspectors general.
As I indicated in testimony last year before the House Committee on Federal Stimulus and Census Oversight, my office already is working into our audit plans objectives relative to compliance with federal spending requirements. The Reserve Fund that you included in the December ARPA spending bill will give us the opportunity to do more than audit compliance with the rules. It will enable us to access expertise to assist us in evaluating whether the methods and systems that distributed the relief funding afforded equitable access and produced equitable results. This is not actually new territory for us, as we done many audits and reports over the past decade that examined this issue in areas including criminal justice, health care, and transportation, but the reserve fund will enable us to sharpen this focus. It is our hope that this will ultimately provide insight not into just the distribution of pandemic relief funds, but also into ongoing agency program design.
I know this is a priority of this legislature and, as made clear in a teleconference last week, it is also the desire of the U.S. Government Accountability Office that state auditors conduct performance audits with an equity emphasis. This priority was emphasized in a recent technical update to the GAO Yellow Book, which provides illustrative examples of how auditors can assess equity in performance audits. Whether it is equity in geography, business size or type, income, race, or any of a number of other factors, public trust requires that our distribution systems provide equitable access.
We in the Auditor’s office take pride that we excel in many areas. There is one area, however, where we need to grow; that is in ensuring that state government entities have effective internal controls in place over their IT operations. State agencies collect and use vast sums of information. They also engage in a multitude of financial transactions. It is essential that an organization’s IT infrastructure and data are secure as the number and level of sophistication of cyber threats continue to increase. There are countless examples across business and government of bad actors stealing personal and financial information, shutting down vital systems of communication and other infrastructure, holding data system access for ransom, defrauding individuals and businesses of billions of dollars. The risks are enormous. That is why I am asking this year for $500,000 to plan and launch an IT audit initiative.
According to the 2021 “Auditing in the States” report conducted by the National Association of State Auditors, Comptrollers and Treasurers, for those states that reported their IT audit information, only 10 states and Guam reported that they have no IT auditors. While we have sufficient expertise to avoid being put on that list, our resources are meager.
Up to this point our office has been conducting performance audits in areas such as internal control policy and cybersecurity awareness and trainings, nearly all of which have found imperfect compliance with agencies’ protocols. We have also found agencies lax in their oversight of contractors who have access to IT systems and data. While this is good and important work, this office needs to become more expert and aggressive in auditing the performance of IT systems and ensuring compliance with national and international security standards. We need a team of well-trained IT professionals to be able to probe more deeply and test for system vulnerabilities.
My office has already begun to lay the groundwork to build out and support this IT Audit Unit by initiating conversations with experts in the fields of IT and auditing at the Isenberg School of Management at UMass Amherst. Fulfillment of our request for $500,000 to launch this initiative will allow us to pursue formal consulting for this work, to create staffing, recruitment, training, and compensation models and to identify the software and hardware we will need to acquire.
As is the case with our office’s other specialized units, such as the Data Analytics Unit and Medicaid Unit, I would suggest that the IT Audit Unit be funded in be a separate line item, which our surveys of other states show is a generally accepted best model for IT Audit Units.
During my tenure in the Auditor’s Office, I have come to understand that to be an effective voice for accountability, we must lead by example. My office’s budget proposal for the upcoming fiscal year will allow us to do just that. It will commit us to strengthening our oversight work in areas of high-risk, putting equity at the forefront of our work, using data and technology to move us forward, and prioritizing the people and systems that make all this possible.
I again want to thank you for your service to the residents and taxpayers of the Commonwealth, and I am happy to answer any questions you may have.