§ 2-3-103. Duties of state auditor - definition

CO Rev Stat § 2-3-103 (2018) (N/A)
Copy with citation
Copy as parenthetical citation

(1) (a) It is the duty of the state auditor to conduct or cause to be conducted postaudits of all financial transactions and accounts kept by or for all departments, institutions, and agencies of the state government, including educational institutions, and the judicial and legislative branches, to conduct performance postaudits thereof, and to perform similar or related duties with respect to such political subdivisions of the state as may be required by law. Postaudits of all financial transactions and accounts may be conducted on a biennial basis.

(b) The state auditor shall have the authority to conduct or cause to be conducted postaudits of all financial transactions and accounts kept by or for any special purpose authority as defined in section 24-77-102 (15), C.R.S., or any state entity designated as an enterprise as defined in section 20 (2)(d) of article X of the state constitution, including performance postaudits thereof, except for:

(I) Any special purpose authority or state entity whose governing body includes the state auditor as an ex officio member;

(II) Any hospital that is subject to audit under the "Colorado Medical Assistance Act", articles 4 to 6 of title 25.5, C.R.S., or medicare, Title XVIII of the federal "Social Security Act", as amended; or

(III) Any special purpose authority or state entity where the authority's or entity's actions are subject to a performance audit, or such similar audit, by the federal government. Upon completion of such a federal performance audit, a copy of the audit shall be shared with the state auditor.

(1.5) (a) In addition to any other duties granted by law, the state auditor may assess, confirm, and report on the security practices of all of the information technology systems maintained or administered by all departments, institutions, and agencies of state government, including educational institutions and the judicial and legislative branches. The state auditor may perform similar or related duties with respect to political subdivisions of the state where the state auditor has been granted authority to perform financial or performance audits with respect to such political subdivisions. In order to perform such duties, the state auditor may conduct penetration or similar testing of computer networks or information systems of the state or a political subdivision, as applicable, assess network or information system vulnerability, or conduct similar or related procedures to promote best practices with respect to the confidentiality, integrity, and availability of information systems technology as the state auditor deems necessary in his or her discretion. In conducting such testing, the state auditor may contract with auditors or information technology security specialists, or both, who possess the necessary specialized knowledge and experience to perform the required work. The authority of the state auditor pursuant to the requirements of this subsection (1.5) are coextensive with the state auditor's authority under this part 1.

(b) Any testing or assessment of security practices and procedures concerning information technology in accordance with paragraph (a) of this subsection (1.5) shall be conducted or caused to be conducted by the state auditor:

(I) After consultation and in coordination with, but not requiring the approval of, the chief information officer appointed pursuant to section 24-37.5-103, C.R.S., or any person performing comparable duties for either a state agency that is not under the jurisdiction of the office of information technology created in section 24-37.5-103, C.R.S., or a political subdivision of the state;

(II) In accordance with industry standards prescribed by the national institute of standards and technology or any successor agency; and

(III) After the state auditor and any other person with whom the state auditor is required to consult in accordance with the requirements of subparagraph (I) of this paragraph (b) have agreed in writing to rules governing the manner in which the testing or assessment is to be conducted, including a mitigation plan for handling significant system outages or disruptions in the event they occur.

(2) The state auditor shall prepare for the committee reports and recommendations on the postaudits conducted, and, under the direction of the committee, shall prepare an annual report to contain, among other things, copies of or the substance of audit reports on the various departments, institutions, and agencies as well as a summary of recommendations made in regard thereto. All reports must be open to public inspection except for that portion of any report containing recommendations, comments, and any narrative statements which is released only upon the approval of a majority vote of the committee.

(3) The state auditor shall keep a complete and accurate set of records on the fiscal transactions of the state auditor's office, and shall also keep a complete file of copies of all audit reports, including work papers, and copies of examinations, investigations, and any other reports or materials issued by the state auditor, the state auditor's staff, or by the committee. The work papers of the office of the state auditor shall be open to public inspection only upon approval of a majority of the members of the committee. Only the specific work papers that the committee votes to approve for disclosure shall be open to public inspection. Work papers that have not been specifically approved for disclosure by a majority vote of the committee shall remain confidential. Under no circumstances shall the work papers be open to public inspection prior to the completed report being filed with the committee.

(4) All expenses incurred by the office of the state auditor, including salaries and expenses of employees, shall be paid upon vouchers signed by the chairman of the committee and drawn on funds appropriated for legislative expenses and allocated to the office of the state auditor; except that any payroll voucher or any other voucher which does not exceed one thousand dollars may be signed by the state auditor or by the state auditor's authorized designee.

(5) It is the duty of the state auditor to annually evaluate the investments of the public school fund and report to the committee any loss of principal of such fund that, in the state auditor's judgment, exists.

(6) Repealed.

(7) Upon a determination by the state auditor that the provisions of section 20-1-112, C.R.S., have not been met, the state auditor shall cause to be conducted a postaudit of any noncomplying office of district attorney. The expenses of such a postaudit shall be borne by the office of district attorney.

(8) The state auditor shall review or cause to be reviewed all enterprise designations submitted to the office of the state auditor pursuant to the provisions of sections 23-3.1-103.5 and 23-5-101.5, C.R.S., to ensure that such designations conform to the requirements of section 23-3.1-103.5 or 23-5-101.5, C.R.S., whichever is applicable, and to the provisions of section 20 of article X of the state constitution. In addition, the state auditor shall recommend to the legislative audit committee those designations, if any, which, in the opinion of the state auditor, should be allowed to expire and shall otherwise assist the legislative audit committee in reviewing the enterprise designations submitted to the office of the state auditor.

(9) It is the duty of the state auditor to conduct or cause to be conducted performance audits as specified in section 2-7-204 (5).

(9.5) It is the duty of the state auditor to notify the appropriate joint committee of reference as determined pursuant to section 2-7-203 when a department has not completed recommendations made by the state auditor within the time provided.

(9.7) It is the duty of the state auditor to establish and administer the fraud hotline as specified in section 2-3-110.5.

(10) As used in this section, unless the context otherwise requires:

(a) "Information technology" shall have the same meaning as specified in section 24-37.5-102 (2), C.R.S.