By Charlie Hayward

For MarylandReporter.com

State auditors found “unsatisfactory” accountability and compliance levels within the highest management echelons of the Department of Health, the state’s largest agency.

The auditors’ “unsatisfactory” designation is reserved under state law to a few large state agencies who demonstrate chronic inability to maintain a reasonable level of internal control, and cannot fix problems identified in past audits. Major problems have persisted over multiple years and several governors.

The Health Department’s current operating budget is $14 billion, or 32% of total state spending. The audit covers 2013 to 2016, the last two years of the O’Malley administration and the first year of Hogan’s.

The Office of Legislative Audits (OLA) looked at expenditures within MDH’s executive and leadership budget units that spend about $55 million annually, The audit didn’t evaluate all MDH operations.

Of the 17 major findings, six were repeated from previous audits that had gone uncorrected.

Auditors made 49 recommendations, and MDH agreed with 46 of them. In its response to the audit, the department said fixes had been made for more than half the audit recommendations before auditors issued their final report last month.

Under-billing, over-billing the feds

MDH performs a substantial part of its work under reimbursable agreements with various federal agencies. During fiscal year 2016, MDH processed federal fund reimbursement requests totaling about $6.4 billion.

Auditors found MDH continues to send out millions of dollars of erroneous reimbursement requests due to poor internal controls and ineffective supervisory oversight. Auditors found a 20% error rate in a small sample of transactions, with $25.9 million of under-billings and one over-billing of $23.5 million.

This is a repeat finding by both state and federal auditors.

Contractors went unaudited

MDH maintains agreements with 24 local health departments and 80 private providers who received grant awards subject to audit totaling approximately $315 million and $196 million, respectively, during fiscal year 2016.

State law requires MDH’s Office of Inspector General (OIG) to perform audits designed to assure these payments are justified. OLA auditors found OIG:

hadn’t audited certain private providers for more than five years and didn’t always conduct private provider audits in a comprehensive manner. Repeat finding;

And didn’t have a formal process for ensuring parties that had been audited actually fixed their deficiencies.

Overpaying universities

Interagency agreements are contracts with other state entities, in this case, state universities. These agreements are exempt from state procurement law. As such, they require unique internal controls to avoid overspending or circumventing legislative control of department budgets.

Auditors found Health had contracted for university-provided services totaling $330 million during the three-year audit period, but MDH was:

Likely overpaying for some of these services;

Circumventing legislative ceilings on numbers of employees by augmenting its staff using university hires;

Not assessing if services should have been obtained competitively from private-sector vendors;

Not assuring services paid for were actually performed; and

Contracting with universities for work outside the universities’ missions and expertise.

Procurement rules flouted

Auditors found deficiencies in several procurement activities:

1) MDH awarded $45 million of sole source and emergency contracts without complying with state procurement requirements designed to avoid excessive spending. Specifically, auditors found:

Prices weren’t negotiated with vendors; MDH contracted for work at the prices first quoted, overpaying for some services.

MDH didn’t keep records to justify the emergency conditions.

One contractor was unilaterally selected by an unidentified executive employee and details of this procurement were subsequently misrepresented to the Board of Public Works. (Auditors never name individuals in their reports.)

2) MDH didn’t have internal controls to ensure it consistently complied with public advertising requirements designed to ensure ads for contracting opportunities reach the widest possible audience to help assure maximum competition.

3) MDH didn’t comply with state regulations designed to control procurement integrity. Bids weren’t properly tracked, controlled, and safeguarded from unauthorized access.

MDH’s controls were so weak that someone could have gained access to bidders’ proposals—between the time they were submitted and the time contract awards were made—and inserted fraudulent bids at more favorable terms, possibly leading to fraudulent awards.

Auditors didn’t report any fraud, although they did find one contract award for $5.1 million even though the low bid submitted by a qualified bidder (the incumbent) was $1.9 million.

4) Auditors also found procurement documentation in general disarray.

Insecure data

Auditors found weaknesses that left it vulnerable to data breaches, theft, and destruction or degradation of data:

Sensitive personally identifiable information within a database and data file was stored without adequate safeguards;

Network access to critical MDH internal network devices was not properly restricted, intrusion detection prevention system coverage was not complete or adequate, and certain wireless connections were not configured securely (This was a repeat finding, but MDH expressed reservations with OLA’s recommendation. It appears the two sides will resolve differences later);

Malware protection for MDH computers was not sufficient to provide the Office of Information Technology with adequate assurance that these computers were properly protected.Repeat finding; and

Information technology contractors had unnecessary network-level access to the MDH network. (MDH disagreed with OLA’s recommendation as too expensive to implement, while expressing agreement with limiting contractor access).

These control deficiencies put MDH at risk of data loss or damage that could adversely affect data integrity, operations and privacy laws.

Cash Receipts

MDH collects more than $150 million annually from its various operations. Controls were not established to ensure collections were properly accounted for, secured and deposited.

OLA said it was possible cash receipts could be stolen without detection, but auditors didn’t report any actual instances of fraud.

Accounts Receivable

MDH didn’t adequately pursue collection of delinquent accounts receivable. As of June 30, 2016, MDH’s accounts receivable were $17.9 million, with about one-third being delinquent (outstanding for more than 120 days.) OLA found collection efforts were insufficient and referrals to the state Central Collection Unit weren’t done. This was a repeat finding.

Overtime irregularities

Overtime earned by 12 employees of the Secure Evaluation and Therapeutic Treatment Program for an extended period appeared questionable and was not investigated. One employee earned more than 100 hours of overtime during each of 16 different pay periods, including 158 hours of overtime during a single two-week pay period.

OLA also assessed cumulative overtime claims versus budget and found overtime payments of about $2.7 million were five times higher than budgeted.

Government credit cards

MDH employees use 311 corporate purchasing cards, and spend about $25 million annually, according to 2015 figures. Based on a small sample auditors found one MDH employee had bought $6,500 worth of gift cards, and $3,000 of these were found to be improper spending based on an investigation by the state comptroller.

In addition, MDH employees shared the same cards and card account numbers, a practice prohibited by policy. They also circumvented limits in card purchases by splitting purchases to make it appear dollar limits on individual transactions weren’t exceeded.

Missing equipment

MDH’s Office of the Secretary maintains significant assets that, as of June 2016, were valued at about $58 million, of which $39 million was equipment at risk of theft, such as desktop and laptop computers.

Physical inventories, or comparing equipment items tagged to show ownership against inventory ledgers, are required to be done annually. OLA found 60% of units tested were between two to four years delinquent in doing these inventories. And the sensitive equipment for these units had a collective cost of $17 million. Repeat finding.

One unit’s physical inventory found 442 missing items with a total cost of $910,000. Missing items were about 30% of the inventory recorded on the books, and included many sensitive items, such as 166 two-way radios with a cost of $615,000.

Conclusion

MDH not only runs the state’s Medicaid program, it operates a staggering number of programs and activities within more than 100 divisions, commissions, boards and offices. Management that was was the object of this audit is responsible for policy formulation and implementation in 34 program areas and for providing statewide executive oversight of 24 local health departments. It is a challenging environment—many think MDH’s $14 billion budget is too little.

OLA’s “Unsatisfactory” rating suggests failures of management and shortcomings with the “tone at the top,” even though current agency management indicates many audit recommendations were implemented earlier this year.

Charlie Hayward spent more than 30 years performing Government Accountability Office audits and served as a partner in two accounting firms. He retired in 2007 from Cotton & Company LLP, where he was a partner and principal financial auditor of the firm’s audit practice group. Since retiring, he has been a contributing writer for MarylandReporter.com.