(1) (a) It is the duty of the state
auditor to conduct or cause to be conducted postaudits of all financial transactions
and accounts kept by or for all departments, institutions, and agencies of the state
government, including educational institutions, and the judicial and legislative
branches, to conduct performance postaudits thereof, and to perform similar or
related duties with respect to such political subdivisions of the state as may be
required by law. Postaudits of all financial transactions and accounts may be
conducted on a biennial basis.
(b) The state auditor shall have the authority to conduct or cause to be
conducted postaudits of all financial transactions and accounts kept by or for any
special purpose authority as defined in section 24-77-102 (15), C.R.S., or any state
entity designated as an enterprise as defined in section 20 (2)(d) of article X of the
state constitution, including performance postaudits thereof, except for:
(I) Any special purpose authority or state entity whose governing body
includes the state auditor as an ex officio member;
(II) Any hospital that is subject to audit under the Colorado Medical
Assistance Act, articles 4 to 6 of title 25.5, C.R.S., or medicare, Title XVIII of the
federal Social Security Act, as amended; or
(III) Any special purpose authority or state entity where the authority's or
entity's actions are subject to a performance audit, or such similar audit, by the
federal government. Upon completion of such a federal performance audit, a copy
of the audit shall be shared with the state auditor.
(1.5) (a) In addition to any other duties granted by law, the state auditor may
assess, confirm, and report on the security practices of all of the information
technology systems maintained or administered by all departments, institutions,
and agencies of state government, including educational institutions and the
judicial and legislative branches. The state auditor may perform similar or related
duties with respect to political subdivisions of the state where the state auditor has
been granted authority to perform financial or performance audits with respect to
such political subdivisions. In order to perform such duties, the state auditor may
conduct penetration or similar testing of computer networks or information
systems of the state or a political subdivision, as applicable, assess network or
information system vulnerability, or conduct similar or related procedures to
promote best practices with respect to the confidentiality, integrity, and availability
of information systems technology as the state auditor deems necessary in his or
her discretion. In conducting such testing, the state auditor may contract with
auditors or information technology security specialists, or both, who possess the
necessary specialized knowledge and experience to perform the required work. The
authority of the state auditor pursuant to the requirements of this subsection (1.5)
are coextensive with the state auditor's authority under this part 1.
(b) Any testing or assessment of security practices and procedures
concerning information technology in accordance with paragraph (a) of this
subsection (1.5) shall be conducted or caused to be conducted by the state auditor:
(I) After consultation and in coordination with, but not requiring the approval
of, the chief information officer appointed pursuant to section 24-37.5-103, C.R.S.,
or any person performing comparable duties for either a state agency that is not
under the jurisdiction of the office of information technology created in section 24-37.5-103, C.R.S., or a political subdivision of the state;
(II) In accordance with industry standards prescribed by the national institute
of standards and technology or any successor agency; and
(III) After the state auditor and any other person with whom the state auditor
is required to consult in accordance with the requirements of subparagraph (I) of
this paragraph (b) have agreed in writing to rules governing the manner in which the
testing or assessment is to be conducted, including a mitigation plan for handling
significant system outages or disruptions in the event they occur.
(2) The state auditor shall prepare for the committee reports and
recommendations on the postaudits conducted, and, under the direction of the
committee, shall prepare an annual report to contain, among other things, copies of
or the substance of audit reports on the various departments, institutions, and
agencies as well as a summary of recommendations made in regard thereto. All
reports must be open to public inspection except for that portion of any report
containing recommendations, comments, and any narrative statements which is
released only upon the approval of a majority vote of the committee.
(3) The state auditor shall keep a complete and accurate set of records on
the fiscal transactions of the state auditor's office, and shall also keep a complete
file of copies of all audit reports, including work papers, and copies of
examinations, investigations, and any other reports or materials issued by the state
auditor, the state auditor's staff, or by the committee. The work papers of the office
of the state auditor shall be open to public inspection only upon approval of a
majority of the members of the committee. Only the specific work papers that the
committee votes to approve for disclosure shall be open to public inspection. Work
papers that have not been specifically approved for disclosure by a majority vote of
the committee shall remain confidential. Under no circumstances shall the work
papers be open to public inspection prior to the completed report being filed with
the committee.
(4) All expenses incurred by the office of the state auditor, including salaries
and expenses of employees, shall be paid upon vouchers signed by the chairman of
the committee and drawn on funds appropriated for legislative expenses and
allocated to the office of the state auditor; except that any payroll voucher or any
other voucher which does not exceed one thousand dollars may be signed by the
state auditor or by the state auditor's authorized designee.
(5) It is the duty of the state auditor to annually evaluate the investments of
the public school fund and report to the committee any loss of principal of such
fund that, in the state auditor's judgment, exists.
(6) Repealed.
(7) Upon a determination by the state auditor that the provisions of section
20-1-112, C.R.S., have not been met, the state auditor shall cause to be conducted a
postaudit of any noncomplying office of district attorney. The expenses of such a
postaudit shall be borne by the office of district attorney.
(8) The state auditor shall review or cause to be reviewed all enterprise
designations submitted to the office of the state auditor pursuant to the provisions
of sections 23-3.1-103.5 and 23-5-101.5, C.R.S., to ensure that such designations
conform to the requirements of section 23-3.1-103.5 or 23-5-101.5, C.R.S., whichever
is applicable, and to the provisions of section 20 of article X of the state
constitution. In addition, the state auditor shall recommend to the legislative audit
committee those designations, if any, which, in the opinion of the state auditor,
should be allowed to expire and shall otherwise assist the legislative audit
committee in reviewing the enterprise designations submitted to the office of the
state auditor.
(9) It is the duty of the state auditor to conduct or cause to be conducted
performance audits as specified in section 2-7-204 (5).
(9.5) It is the duty of the state auditor to notify the appropriate joint
committee of reference as determined pursuant to section 2-7-203 when a
department has not completed recommendations made by the state auditor within
the time provided.
(9.7) It is the duty of the state auditor to establish and administer the fraud
hotline as specified in section 2-3-110.5.
(10) As used in this section, unless the context otherwise requires:
(a) Information technology shall have the same meaning as specified in
section 24-37.5-102 (12).