Despite the current upturn in the U.S. economy, the fiscal outlook for federal, state, and local governments looks grim. For those public servants hoping the end of the protracted period of recession and slow growth would bring an end to budget cuts, staff losses, and reductions in public services, recent reports from the U.S. Government Accountability Office (GAO) make depressing reading.
"All types of federal spending — that is, for both discretionary and entitlement programs, and tax expenditures — will need to be re-examined," the GAO says in The Federal Government's Long-term Fiscal Outlook, published in April 2013. And despite the fact that total tax receipts at the state and local levels have returned to the prerecession levels of 2007, the GAO estimates the entire sector still faces a gap between revenue and spending — a gap that is set to grow.
This ongoing squeeze is likely to mean further cuts to staffing and services rather than the wished-for funding increases. Some predict the public sector's boom-bust model is over. "We're used to moving back into growth mode after a bad year," Bill Greene, president of the Association of Local Government Auditors and city auditor in Phoenix, says. "And people still want it to be that way, but it's not."
He notes the traditional growth model has vanished. "Our model can no longer be to just ignore infrastructure demands, for example, until we get more money. We are going to have to decide exactly what our core services are and what we must spend money on."
With risks piling up in areas such as financial management, infrastructure, and IT, audit functions are overstretched and struggling to provide timely, accurate assurance. Many are becoming more proactive and strategic in both the assignments they undertake and in their control recommendations.
Risk From Recession
The reason government agencies are facing such fundamental decisions over which core services to cut and which to save is easy to see. If cash does not flow back into local public services, cities, and federal departments, the lack of capital expenditure will pile up unfunded liabilities and new risks. Sharon Winslow Erikson, city auditor of San Jose, Calif., estimates that in her city alone, there is almost US $1 billion needed for deferred street maintenance. The city has to find this money now to repair streets or risk having to completely replace the asphalt in five to 10 years.
Infrastructure is not the only area where risk has arisen from the recession. Pension and retiree health-care liabilities have grown fast during a time of shrinking revenues. Staff cuts at police and fire stations have reduced response times and made citizens unhappy about the level of service they are receiving. In addition, critical support departments such as payroll and IT are struggling to keep things going.
Some risks emerging from this situation are making it hard for internal audit departments to do their jobs effectively. For example, during a recent audit of San Jose's overhead calculations, Erikson found a worrying lack of institutional knowledge. Seven different people had prepared the department's plan over the last five years. "When we went in to audit, no one could talk with certainty about why the department had made certain decisions or about why costs should be allocated one way or another," she says. "That sends up a bunch of red flags." The city also had decentralized the approval of employee travel, then laid off the person who previously had coordinated the task. As long-serving staff leave organizations, they take vital knowledge with them.
In addition, the public sector faces risks emerging from the way that IT is pervading contemporary society. For example, the top three nonrecession risks on Theresa Grafenstine's worry list are social media, insider threat, and systems complexity — particularly because when they interact they compound the risks they present individually.
Grafenstine, inspector general of the U.S. House of Representatives, says public-sector organizations have embraced social media to better communicate with the public and meet political pressure to become more transparent. Yet the proliferation of multiple, highly accessible communications platforms is a double-edged sword. "It can be a sieve for intentional or unintentional data spill," she observes, which is a major concern among House members.
Grafenstine says this growth in systems has been coupled with a cultural shift, particularly among younger people, toward massive personal disclosure through platforms such as Facebook, Twitter, Instagram, and Snapchat. Such new attitudes toward sharing data have both increased the risk of data spill and the associated reputational damage such leaks can cause government agencies.
Dovetailing with this easy dissemination of information is what Grafenstine characterizes as an insider threat. This threat may come from employees unintentionally causing damage to the organization by accidentally leaking sensitive data through social media or by plugging a flash drive into a computer to infect it with malicious code. Insider risk also can be intentional where employees are stealing data and selling it to outsiders.
"Insider threat is a big, emerging risk," she says. "Aggregating data and making it accessible to get a big data picture, because we want people to do their jobs better, carries with it a certain amount of risk. You can now grab a whole bunch of data and go unnoticed." The audit function works with its information security experts to understand the techniques used by hackers and those within the organization who may seek to steal data. That has meant constantly changing its audit approaches to reflect the latest threats.
More Work, Less Time
The amount and complexity of the IT systems that public-sector agencies in the United States rely on also has increased over the past two years, pushing cyberthreat higher up the agenda. Large federal government departments, such as the Department of Defense (DoD), are more dependent on such systems now than ever before.
"Security over systems in the Department of Defense is critically essential because we have more and more systems — everything from accounting to human resources systems to weapons systems — that are computer controlled and are potentially vulnerable to cyberattack," Jon Rymer, the department's inspector general, says. "Monitoring and auditing those systems has become much greater and will continue to increase."
While the magnitude of challenges from the recession and emerging technologies also exists in the private sector, internal auditors working across all levels of government are uniquely constrained by their charters and remits. That is because so much of their audit work is mandated by legislation, leaving less time to deal with upcoming issues.
"Balancing between mandated audits and emerging risk audits is one of the main things we struggle with," says Elaine Howle, state auditor in the California State Auditor's Office. Resources have to be prioritized in order:
- Those required by state law, which are generally conducted annually or biannually.
- Work requested by the legislature's Joint Legislative Audit Committee.
- High-risk work, which aims to cover emerging risk and areas of urgent concern.
"Some years I have the resources to do high-risk work," she says, "and some years our resources are very lean because they are dedicated to the other work."
Despite the fact that high-risk work can add a lot of value to public sector agencies, there is no escaping the way that audit functions must prioritize their assignments. That is bound to mean that some risk areas are not audited timely.
Government auditors are adapting to cope better with the velocity and volume of change. Yet as the world has become more interconnected, the risk universe has expanded. Without a good risk assessment process that considers the government agency, the economy, the way the sector the agency operates in is moving, and the way key partners are moving, "you are behind the curve in being able to respond to these fast-moving risks," says Benito Ybarra, chief audit and compliance officer at the Texas Department of Transportation (TxDOT).
Ybarra's solution has been to work more closely with the board and executive management on risk assessment and audit planning than he has in the past. As part of TxDOT's continuous risk assessment process, the audit plan is revisited at least quarterly. Rigid annual audit planning is out. "Going into the year, the board and the executive team know that we have to be agile," he says.
Like Ybarra, Greene's team at the city of Phoenix identifies many more risks than it could possibly audit, so the selection procedure has become crucial. He consults closely with his stakeholders — the audit committee, city policy makers, and executives — and they help him make his selections. "They know more about their risks than internal audit and about what really keeps them up at night," he says.
Despite the improving U.S. economy, overall federal spending continues to be constrained, requiring oversight organizations to find ways to achieve greater efficiency. In fiscal year 2013, for example, the DoD's budget was US $633 billion, roughly half of the U.S. government's discretionary budget. Rymer says auditability has been a problem for many years and the DoD is the only one out of 24 federal departments and agencies subject to the Chief Financial Officers Act of 1990 not to get a clean audit opinion on its financial statements. But some areas of the DoD do not have all the systems they need to allow management to measure performance, develop controls, and produce auditable statements, which makes providing assurance in those areas difficult.
Given the fact that risk in the DoD often arises from unpredictable geopolitical events, Rymer emphasizes its ability to respond quickly and effectively to rapidly changing risk. "The issue here has always been one of being poised to respond quickly to emerging or new risk," he says, "so it is the responsiveness that is the challenge for this organization, for this department, and for the auditor. For that, we need to have knowledge of the activities of the department and be able to provide some oversight and assurance that those programs are working properly."
In addition, coordinating oversight activities with other accountability organizations in the DoD and other government entities will become increasingly important, Rymer says. Rymer leads or participates in 14 planning groups with the military services, the Defense Contract Audit Agency, and with the GAO to collaborate on significant departmental issues and discuss priorities and ways to provide oversight. He says he will continue to enhance coordination with these audit agencies to ensure that the defense accountability community is focused on identified risks, such as the Defense agencies' and military services' enterprise resource planning systems.
Grafenstine insists that better risk management knowledge pervade her department. "My auditors need to understand why they are doing each step of the audit and what risk they are trying to avoid or mitigate," she says. "In an audit report, I need to see why I care that a control has been violated, for example. I never want to be the auditor putting out the million-dollar recommendation to fix a five-dollar problem."
With fewer staff to execute audit recommendations, Grafenstine also advocates being more selective over which controls to implement. "It underscores the need to have a staff that understands risk and understands that you don't necessarily want to hammer people to put in every single control," she says. "You need to understand why that control is being put in and be selective."
The word "proactive" is also on auditors' lips, even when it comes to dealing with the onerous statutory work they face. In California, for example, the U.S. Patient Protection and Affordable Care Act is potentially a huge issue, particularly since the state has established its own exchange, Covered California.
Howle decided to conduct a readiness review of the new exchange before implementation started in October to see whether the project warranted high-risk status. The organization was concerned that an audit would soak up precious time and make it lose focus. But Howle explained that she would not be conducting a root-and-branch audit, but instead would focus on readiness by looking at the key things the project needed to achieve by its October deadline. "We issued the report in July, which gave the managers a few months to correct some of the issues we had identified," she says.
Although the board had not welcomed the audit, it subsequently admitted that it was pleased the auditors had provided assurance to the legislature and the public that the exchange would get up and running successfully. Moreover, the audit had enabled the organization to address any improvements before the project went live.
Government auditors working in this new, more stringent environment have had to couple their traditional analytic and critical-thinking skills with better communication, business knowledge, and project management skills. With so little opportunity for wasted time, audit recommendations in the public sector have to be concise, relevant, and easy to understand. "A lot of ideas can go unimplemented if they are not communicated properly," Ybarra says.
While it is clear that the effects of the recession have created unprecedented challenges to public sector auditors, most are rising to them by becoming more proactive and strategic. They are working more closely with their boards to identify the risks that really matter in core areas, without overburdening them with unnecessary controls. Although it has been a painful process, one consequence of the downturn is leaner, more focused, and relevant internal audit departments serving the country's public agencies.