Vermont Business Magazine The State Auditor’s Office (SAO) today released a report that summarizes common audit findings that have resulted from the dozens of audits completed during Auditor Doug Hoffer’s tenure to date. He was first elected in 2012 and previously announced he would not seek another term.
Notwithstanding the huge range of services provided, there are many common elements in the management of state programs. Not surprisingly, they encounter similar problems across state government. But in each audit, the findings are limited to a particular program and department. Therefore, in recognition of this, they produced this summary report of common audit findings in order to inform and benefit all agency, department, and program leadership, whether or not they have been the subject of an audit.
by Douglas R. Hoffer, State Auditor
As I enter the final months of my tenure as Vermont's State Auditor, I want to share some observations about our work. We have conducted dozens of performance audits addressing a variety of programs and departments. The diversity of subjects covered reflects the broad scope of the State's responsibilities.
Generally, we don't question the choices made by the Legislature. Instead, our job is to evaluate the efficacy and cost-effectiveness of the delivery of services by the executive branch. So, most of our work concerns the nuts and bolts of state government. The point of departure is the intent of the Legislature (goals), but we deal primarily with implementation.
While this may not be as dramatic as front-page policy debates, it's about making sure every dollar of taxpayer money is being used to solve problems with little or no waste.
Notwithstanding the huge range of services provided, there are many common elements in the management of state programs. Not surprisingly, we encounter similar problems across state government. But in each audit, the findings are limited to a particular program and department. Therefore, in recognition of this, I decided to authorize a summary report of common audit findings that keep popping up.
I hope the Administration will use this document to improve policies and procedures and to shape more and better training.
State government is a massive and complex organization. Everyone is working hard, but there are numerous opportunities for improvement. Those who benefit from (and pay for) state services have every right to expect each administration to identify and adopt best practices. And those efforts can and must be tracked through performance measurement, which is the subject of another report my office is currently completing.
Introduction
The State Auditor’s Office (SAO) is the watchdog of State government performance, providing independent, objective analysis to the Executive, Legislative, and Judicial branches. The SAO produces a wide range of performance audits centered on accountability of the State to its citizens. Vermont’s Annual Comprehensive Financial Report (ACFR) is completed by an independent CPA firm under contract with the SAO.
The ACFR reviews internal controls over financial reporting and compliance. The SAO is also responsible for Vermont’s annual “Single Audit,” which examines the State’s use of federal funds. This is completed by the same firm that produces the ACFR. The work the SAO does provides valuable insight into whether government programs and operations are working effectively and efficiently and offers recommendations for improvements. In the course of our work, we routinely encounter problems of a similar nature across departments that would benefit from a coordinated, across-agency approach at the highest level of government. Running State government is a complex endeavor, and making changes based upon our recommendations can take time, but Vermonters deserve a government that provides the best possible services and takes accountability where improvement is needed.
Between July 2013 and April 2026, the SAO completed 59 performance audits, 11 legislatively-mandated Tax Increment Financing audits and issued numerous investigative reports and memorandums. In the 59 performance audits, we found that:
• 50 (85 percent) had issues related to policy and
process-related internal controls
• 28 had issues related to data errors and reporting
deficiencies
• 24 had issues with legal compliance
All three of these areas can be considered internal controls. Also, a large portion of our performance audits identified issues related to the lack of performance measures, which we will be exploring in a separate report. We make recommendations related to our findings in our audit reports, but the responsibility for implementing those recommendations rests with the State entity being audited. When they do not implement our recommendations, the issues remain and potentially compound. As identified in our analysis, underlying issues (e.g., lack of written procedures) of a similar nature are often identified across agencies and departments which could benefit from standardized, statewide approaches and guidance. This report (1) seeks to shed light on some of the key problem areas we frequently encounter, and (2) to identify trends in internal control issues that would benefit from statewide oversight.
What are Internal Controls?
Internal controls are processes that management uses to help an entity achieve its objectives, protect assets, and mitigate risks. Internal control standards define three categories of objectives: operations, reporting, and compliance. When done correctly, the internal control process helps an entity run its operations efficiently and effectively, report reliable information about its operations using reliable data, and comply with applicable laws and regulations. They are not stand-alone practices but rather should be woven into the day-to-day responsibilities of managers and their staff. Without controls, a program is vulnerable to fraud, waste, and abuse. Controls can be physical, like keeping important information locked safely, password protecting sensitive data, or limiting access to documents and systems. They can also be process-related like segregation of duties and requiring varying levels of review and pre-approvals.
Figure 1. The components, objectives, and organizational structure of internal control
Source: Government Accountability Office (GAO) Green Book
Internal control is a crucial component for State government to fulfill its mission and accomplish its goals in service to Vermonters. Public officials, legislators, and taxpayers are entitled to know whether government agencies are properly administering public funds and complying with laws and regulations. Without proper controls, government programs suffer, taxpayer dollars are at risk of being wasted, and programs may not fulfill their public service missions.
Common Audit Control Findings in our Reports
Operations: Policies, Processes, and Procedures
The documentation of policies and procedures is critical to the daily operations of a department. They provide specific direction to employees on how to conduct work consistently in support of achieving an organization’s mission. Without this framework of understanding by employees, conflict can occur, poor decisions can be made, and serious harm can be done to a department’s reputation and operations, leaving government programs vulnerable to fraud, waste, and abuse. Issues with process-related internal controls are consistently identified in both SAO and Single Audit findings, as shown in the examples below.
In the 2025 Medicaid audit, we found that the Department of Vermont Health Access (DVHA) and partner State organizations did not consistently act in response to findings from its own Special Investigations Unit (SIU) to reduce the Medicaid program’s vulnerability to fraud, waste, and abuse. At the time of the report, almost 197,000 individuals in Vermont relied on Medicaid and Medicaid-related services provided by Vermont providers, including hospitals, nursing homes, general practitioners, and specialists. Despite Medicaid’s importance to a significant portion of Vermont’s most vulnerable populations, weaknesses in the State’s controls jeopardized the integrity of the program, exposing it to provider fraud, loss of federal funding, and reduced services for those in need. Specific internal control-related issues included a lack of corrective action follow up on known program vulnerabilities, policy changes approved despite program integrity risk, and a lack of program integrity oversight for the State’s Accountable Care Organization, OneCare, and other DVHA contractors.
In the 2024 Capital Investment Grant Program (CIP) and Community Recovery and Revitalization Grant Program (CRRP) audit, we found that that the Department of Economic Development (DED) in the Agency of Commerce and Community Development (ACCD) asked the Legislature to remove an internal control requirement from the CRRP grant application review process. At DED’s request, the Legislature removed the requirement for a state economist to calculate the fiscal impact to the state and verify that the project would truly make a difference and would not occur without the grant award. According to the State’s own internal control standards, reviewing and verifying a participant’s eligibility for State program funds is an important control step. Having a control to verify the impact to the state is an important tool in transparent decision-making and removing it undermines accountability for public resources.
In the 2024 State Hazard Mitigation Plan audit, we found that the Vermont Emergency Management, a division of the Department of Public Safety, did not have guidance on completing mitigation actions, nor did it have a process to adequately train staff leading the actions. Floods, the COVID-19 pandemic, and other disasters have killed Vermonters and caused hundreds of millions of dollars in damage to Vermont’s economy, environment, and infrastructure. Between 2011 and 2023, there were 21 federally declared disasters in Vermont, as well as non-federally declared disasters such as hotter temperatures, invasive species, and air quality issues from wildfire smoke. The State Hazard Mitigation Planning and Policy Committee, of which the Secretary of Administration is a member, was tasked with implementing mitigation actions led by the State which aim to reduce or eliminate long-term risk to life and property in the event of a disaster. These actions represent a way for the State to manage the impact of these events on Vermonters, but the State failed to implement the actions, including a significant portion of priority actions, leaving Vermonters at greater risk.
Read full Hazard Mitigation Plan report
In the 2023 Agency of Digital Services (ADS) audit, we found several issues with contract oversight, including that ADS did not have procedures to ensure that contract deliverables were verified before paying invoices. Without proper contract oversight, the State is at risk of paying vendors without receiving services. For example, in one project ADS paid a contractor $2 million – almost the full amount of the contract – even though the system had not been deployed more than two years after the scheduled completion date. Paying for services not rendered is a waste of taxpayer dollars.
Read full ADS IT Projects report
The single audit, for the year ending June 30, 2024, conducted for our office by CliftonLarsonAllen LLP (CLA), found both significant deficiencies and material weaknesses in internal controls1. For example, the Agency of Administration (AOA) was unable to provide documentation that it competitively procured a contract for $5 million, nor that a cost analysis was performed. Failure to adhere to contracting standards could result in the State procuring goods or services that are not cost-effective nor in the best interest of the program.
Read full 2024 Single Audit report
The single audit for the year ending June 30, 2020 found both significant deficiencies and material weaknesses in internal controls. For example, the Department of Labor did not have proper financial reporting controls in place to ensure the Federal Pandemic Unemployment Compensation funds were recorded accurately. Proper administration of federal funds is crucial to prevent a reduction in federal financial support.
Read full 2020 Single Audit report
Reporting: Issues with Data
The Executive Branch and the Legislature need accurate data that allows them to objectively evaluate programs, support strategic planning and budget decisions grounded in evidence, foster accountability within organizations, and provide transparency of government decision-making to the public. The Agency of Administration (AOA), through guidance issued by its Chief Performance Officer, states that Vermont has a commitment to transparency, continuous improvement, and results-driven public service and that the State has a continued commitment to data-informed decision-making. Our reports, however, routinely find state departments that do not have complete and accurate data.
In the 2025 Department of Health (VDH) Complaints audit we found that VDH was not collecting program-wide data or conducting program-wide trend analysis of the entire food and lodging complaint program. As a result, VDH lacked needed tools to better detect and mitigate major risks to Vermonter’s public health, and lacked the information needed for data-driven decision-making and continuous improvement. Further, VDH did not provide data to AHS leadership nor to the Legislature which would allow them to objectively evaluate the program and provide accountability and transparency to the public.
Read full Health Consumer Complaints report
In the 2022 prisoner grievances audit of the Department of Corrections, we found that prisoner grievance data was often missing, inaccurate, or unusable. The recordkeeping system that the Department of Corrections used to collect information on grievances did not have reliable or basic information. Further, the program did not have data entry or record-keeping guidance, resulting in system-generated reports for management and leadership that were inaccurate. Without reliable data, there cannot be a fair and equitable grievance process that provides incarcerated individuals with a means to fix problems with the conditions of their confinement, thereby improving their safety. This also hinders the safety of those who work in correctional facilities.
Read full Prisoner Grievances report
In the 2022 audit of the Department of Environmental Conservation’s (DEC) Dam Safety Program, we found that DEC did not maintain a complete and accurate inventory of dam condition information or update the dam inventory with the new hazard potential classifications. Further, DEC did not record inspection dates in the dam inventory as they occurred. The safety of the citizens of Vermont is dependent on the state inspecting and evaluating the state’s dams and compelling dam owners to make repairs to keep the dams from failing, including those dams owned by the State. Without accurate data, DEC could not provide correct information to stakeholders or prioritize the dams needing immediate attention, which could result in dam failures that risk property and lives.
The Single Audits for the years ending June 30, 2022, and June 30, 2023 found both significant deficiencies and material weaknesses in internal controls. For example, CLA found that AOA inaccurately reported financial data to the U.S. Department of Treasury for projects related to the Coronavirus State and Local Fiscal Recovery Funds. Inaccurate reporting could result in a loss of federal funding.
Read full 2022 Single Audit report
Read full 2023 Single Audit report
Compliance: Issues with Legal Compliance
State agencies and departments are required to adhere to and enforce compliance with federal and state laws and regulations. They have an obligation to follow the law as public servants and stewards of taxpayer dollars. Many of the legal compliance issues we report on relate to the health and safety of Vermonters. In three of the examples below, the issues identified specifically impact some of the most vulnerable populations, youth and the elderly.
In the 2026 Department for Children and Families, Child Development Division (CDD) childcare violations audit we found that CDD allowed prospective child care staff to begin working before the FBI and in-state fingerprint-supported background checks were complete, which is in violation of federal law. Comprehensive background checks help ensure the safety of children in these programs. Further, there were gaps in out-of-state background checks, potentially allowing child care staff with criminal convictions to work. Additionally, Vermont statute required certain violations to be cited as serious; however, CDD regulations allowed licensors discretion when citing violations for self-reported incidents. Ensuring the safety of children in Vermont childcare facilities is one of CDD’s most important responsibilities. Continued noncompliance could jeopardize the safety of Vermont’s children and could also result in cuts to federal funds for programs like Head Start.
Read full Childcare Violations report
In the 2022 Department of Disabilities, Aging and Independent Living (DAIL) Assisted Living Residences and Residential Care Homes audit, we found that DAIL did not comply with statutory and regulatory requirements to inspect facilities annually or for changes of ownership and did not comply with its own regulations for receiving plans of correction within required timelines. In some instances, the plans for correction related to immediate jeopardy to resident health or safety or actual harm. Vermont’s population is aging, and the state is duty-bound to ensure the safety of older, vulnerable Vermonters living in long-term care facilities by enforcing the laws and regulations governing the facilities.
Read full DAIL Assisted Living report
In the 2019 Agency of Education (AOE) Child Protection Registry (CPR) audit, we found that AOE issued educator licenses despite the absence of a CPR check, which is not in compliance with State statute. AOE and supervisory unions/districts are statutorily mandated to request and obtain information from the CPR, which contains records about individuals with substantiated reports of child abuse or neglect. Further, AOE did not ensure that all supervisory unions/districts checked the CPR registry for all required categories, which is also required by law. Checking the CPR can help mitigate the risk of unknowingly putting individuals with a history of child abuse or neglect into contact with children.
Read full Child Protection Registry report
The Single Audits for the years ending June 20, 2021 and June 30, 2023 found both significant deficiencies and material weaknesses in internal controls. For example, AOA omitted required federal award information from subaward agreements issued using program funds in violation of 2 CFR §200.332(a). In another example of a violation of the same law, AOA misclassified payments it made to beneficiaries as subawards. Proper administration of federal funds is crucial to prevent a reduction in federal financial support. Additionally, the last seven single audits have found issues related to legal compliance with 2 CFR §200.303(a) (internal control).
Read full 2021 Single Audit report
What Vermont is doing, and Lessons from other States
Vermont statutes regarding internal controls are very limited and focus narrowly on financial internal controls without addressing programmatic requirements, statewide accountability, or oversight for state agencies.2 There is no standardized process, no designated internal control officer, and no oversight of statewide programmatic internal controls for Vermont. The State’s own internal control guidance identifies accountability as intrinsic to the governing process (see callout box). However, even following the guidance is not required. Without these key internal control steps being taken, accountability is weak.
The State’s internal control division, housed in AOA’s Department of Finance and Management (DFM), has limited internal control activities that primarily focus on providing resources and guidance to improve the State’s financial operations. The Internal Control Standards: A Guide to Managers that DFM issues is a suggestion to managers on best practices for internal controls but does not require the guidance to be followed. DFM does not have formal policies, processes, or procedures for how internal control work should be carried out for the State. There is a sole individual working on internal control guidance, and the position is not solely dedicated to internal control work. DFM manages the annual self-assessment of internal control (SAIC) questionnaire, which is sent to all major departments/divisions. However, while participation in the SAIC is encouraged, it is not required and the questions focus primarily on financial activities, with some general information requested. There are no required internal control activities or certifications that DFM or other departments participate in at a statewide level.
Weak or insufficient internal controls will result in audit findings and, more importantly, could lead to theft, shortages, wasteful spending, or operational inefficiency and ineffectiveness. As seen in the examples above, internal control issues have been identified by both the State Auditor’s office and through the Single Audit year after year and across agencies and departments, but the state continues to lack a standardized, statewide approach to ensure accountability to internal control standards proactively. While the internal control guidance and outreach DFM does is evolving, it does not have oversight responsibility for the internal control work that should be done across agencies and departments to provide sufficient accountability of the State’s operations to the public.
In contrast, some states have taken proactive accountability measures to establish internal control requirements, assign responsibility, and train personnel. New York’s state Legislature enacted a law in 1987 requiring internal control measures and assigning responsibility to the head of each state agency. The head of each state agency is responsible for the system of internal controls as well as the review of its effectiveness and the training of employees on the system. Similarly, Massachusetts passed a law in 1989 outlining the requirements for internal control standards across all state agencies. In addition to the law, Massachusetts’s internal control policy also requires staff training, completion of internal control certifications, and a central repository of internal controls. Both states also require a designated internal control officer who shall report to the head of each agency. DFM officials confirmed Vermont does not have a designated internal control officer or a statute requiring all agencies to adopt a standardized internal control system.
Colorado state policy requires all State agencies to follow the Government Accountability Office (GAO) Green Book: Standards for Internal Control in the Federal Government. Vermont does not have a standardized, required internal control guidance, although some agencies, including DFM, use Committee of Sponsoring Organizations of the Treadway Commission (COSO). Indiana requires an acceptable minimum level of internal control standards and procedures for state government and recommended the Green Book as a companion guide. The state also has mandatory internal control training for personnel. While there is some control training available, there are no mandatory internal control training courses for Vermont state employees. Indiana also requires the head of each agency to establish, implement, and maintain an effective system of internal controls. The state issued uniformed guidance defining what an internal control system is and what standards the system should be measured against when evaluating sufficient controls.
Best practices in internal controls
As managers strive to achieve their agency’s missions and goals and provide accountability for their operations, they need to continually assess and evaluate their internal control structure. This should be done to ensure that it is well designed and operated, appropriately updated to meet changing conditions, and provides reasonable assurance that the objectives of the agency are being achieved. An internal control system should be a collaborative process between all levels of an organization, including an entity’s oversight body.
The standard concepts for internal control are consistent amongst both state and federal best practice guidance and are organized similarly into objectives related to operations, reporting, and compliance.
Figure 2: Achieving Objectives through Internal Controls
Source: GAO Green Book
Operations: Documentation of policies and procedures is critical to the daily operations of a department and is a recommendation made in almost all SAO performance audit reports. Without a framework by management and an understanding by employees, conflict can occur, poor decisions can be made, and serious harm can be done to the department’s reputation and operations. It is a department’s responsibility to lay the foundation of success for employees by establishing documented processes and policies and monitoring their application through review, approvals, and training. Not only is having a documented process critical though, training on and understanding of the process is vital to the mitigation of risk. Since 2013, 85 percent of SAO performance audits identified issues related to lack of policies, processes, and procedures. Vermont could require department heads to be responsible for certifying that they have written procedures to assign a level of accountability.
Reporting: Management should obtain or generate relevant, quality information, which includes having relevant data from reliable sources and using that data to produce quality information. Quality information allows management to understand the risks to a program as well as its success and communicate those program elements to all stakeholders. Since 2013, almost half of the SAO performance audits identified issues related to data errors and/or reporting deficiencies. Without accurate data, the State cannot fulfill its promise for transparent, data-informed decision-making, and results-driven public service.
Compliance: Management should conduct activities in accordance with applicable laws and regulations and set compliance objectives to ensure this outcome. In almost half of the performance audits since 2013, the SAO found issues related to legal compliance and following regulations. Law and regulations should be considered when establishing policies and procedures.
The responsibility to embrace internal controls lies with every state employee, but the State needs to establish the infrastructure and a consistent framework to support departments and hold all of state government accountable. An example of how to establish an infrastructure of accountability is Massachusetts, which requires state government department heads to annually certify that they have a system of written internal controls and training and monitoring actively in place as part of their daily operations. This intentional check-in process not only assigns responsibility to an individual but establishes a routine process of review.
Good Governance
We periodically highlight matters for consideration by the Legislature in our reports alongside our recommendations to agencies. These are typically issues that would benefit from legislative clarification or legislative coordination with the Executive branch. These tend to fall into two areas (1) revisions or clarifications needed in statute related to program/project implementation requirements, and (2) suggestions for program reporting requirements to enable the Legislature to exercise its oversight role and improve decision-making. For example:
In the Hazard Mitigation audit, we suggested that the membership, duties, and responsibilities of the State Hazard Mitigation Planning and Policy Committee be established in statute. We also suggested that the Committee could track their actions and give status reports regularly to legislative committees. This suggestion was aimed at providing clarity to the program guidelines and establishing accountability.
In the CIP and CRRP Grant Program audit, we suggested the Legislature specify how DED should assess grant applicants’ eligibility. We also suggested that calculations using a known method (e.g., Net State Fiscal Impact) be used in grant programs with an expected financial return to the State.
In the Covid-19 Emergency Economic Recovery Grant Program audit, we suggested that the Legislature require ACCD to provide periodic status reports on the grants that were awarded as well as any actions taken by ACCD in response to audit recommendations.
In the ADS IT Projects audit, we suggested the Legislature modify statute to require ADS to include specific cost estimates for project implementation, timeline statuses, and tracking and reporting on whether or not the IT projects achieved their cost, schedule, and operational goals.
In the VTrans Paving audit, we suggested the Legislature modify statute to require VTrans to report when a project exceeds the original estimates by more than 50 percent and to provide explanations when significant project delays occur.
Coordination between the Executive branch and the Legislature is vital for good governance. The suggestions we make are intended to strengthen agencies’ ability to understand the intent of the Legislature and implement programs accordingly and for the agencies to report the results of their work to the Legislature accurately and in a timely manner. It is a full circle approach to improving Vermont’s public sector. Additionally, the Executive branch has a role to play in encouraging the Legislature to implement the suggestions made in our audits. The taxpayers deserve a government that works together.
Conclusion
Audit findings in one department are frequently applicable to other areas of state government. Audit work is an immensely important tool for detecting when something has gone wrong, but by nature, it is a reactive tool. Using audit recommendations from one agency or department to guide the assessment of other departments (e.g., does this program have written procedures) is a proactive way to identify potential programmatic weaknesses and strengthen state government. A coordinated, statewide approach can help support departments achieve strong internal controls and utilize audit recommendations to prevent repeated issues.
Objective, Scope, and Methodology
Objective
The objective of this project was to summarize common audit findings and their causes, and to identify strategies to avoid such findings in the future.
Scope
The scope of this project included SAO performance audit reports issued between July 2013 and March 2026. The project also included Single Audit reports, which included the financial audit findings, issued for the periods between 2020 and 2024.
Methodology
We conducted a review of SAO performance audit reports and grouped the audit findings into following main themes: (1) performance measure issues/results, (2) lack of compliance with legal requirements, (3) IT system inadequacies, (4) data errors/reporting deficiencies, (5) lack of policies/procedures/processes, (6) other internal control deficiencies, and (7) other issues. After analyzing the results of the review, we identified the following internal control categories as having substantial findings:
• Issues with Processes, Policies, and Procedures
• Issues with Legal Compliance
• Issues with Data
We reviewed applicable state and federal regulations that pertain to the project, including state legislation on internal controls from Vermont and other states. We researched internal control guidance from DFM, GAO, and COSO. We reviewed state and federal guidance on data reliability. We met with officials from DFM to discuss the current internal control activities and processes. We also did limited research to identify similar reports from federal, state, and local audit offices.
FOOTNOTES
1 A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
2 8 V.S.A. § 31306 Supervisory Committee Controls, 16 V.S.A. § 242a School District Internal Controls, 24 V.S.A. § 1690 Municipal Internal Controls, and 32 V.S.A. § 163 SAO Requirements
To support vital journalism, access our archives and get unique features like our award-winning profiles, Book of Lists & Business-to-Business Directory, subscribe HERE!
Vermont Business Magazine