Rebirthed internal audit team finds 12 Buncombe departments at 'high' operational risk

ASHEVILLE - Nearly five years after the Wanda Greene fraud scandal, one year after the last internal audit director resigned and three months after the county received a clean financial audit, the government's embedded oversight team found 12 departments are currently at "high" operational risk.

The county's new Internal Audit Department Director Dan Keister presented Board of Commissioners the first phase of action his team of three will take throughout the 2023 fiscal year, mainly focused on mitigating these risks.

The two departments with the highest risk levels, according to a standards-based survey Keister conducted, are the Information Technology department and Sheriff's Office.

"We've got to know where we are to know where we need to go," said Commissioner Al Whitesides when asked if this list concerned him.

He along with County Commissioner Robert Pressley are on the Audit Committee, a board of seven that "provide(s) oversight for management's systems of internal control and the performance of the internal and external audit functions," according to Buncombe's website.

How Buncombe's audit measures have evolved in 2022: 

• New Buncombe audit director will increase public accountability reports, transparency

• Buncombe's FY 2021 financial audit made 4-year history. Read it in full here.

• Pending vote, Buncombe internal audit director hire is department's sole full-time employee

• Buncombe leaders see depleted oversight department as 'opportunity' to build transparency

"There's a lot of worries out there," Whitesides said, but insisted the county's plan to tackle risk and some of its recent high-level hire could help keep risk at bay.

"That's something we've been doing all over, hiring people, bring them in to really up our game, so to speak, to make sure that we don't have the problems that we've already seen in other counties and the state and across the country."

Pressley also pointed to the audit department's capacity for success and its recent growth, instead of reflecting any specific issues the risk-rating heralded.

"We have changed so many policies over the last five years since everything happened," Pressley told the Citizen Times. "And now we are finally at the point where we can say, OK, what are the most serious (areas) or the ones that we worry about the most?"

He said the audit team was at its largest since he started serving as commissioner six years ago.

"Even though those 12 are really the highest risk — and what we mean by the highest risk is where they can do the most damage — all ... (departments) are important," Pressley said, noting it's the Internal Audit Department's job to keep track of each department and note things the committee might not otherwise be aware of.

Keister, who was hired in January, through the first half of 2022 to conduct more than 45 interviews to evaluate more than 30 departments.

During the June 7 meeting he showed commissioners part of a spreadsheet ranking those departments on eight different operational risk factors, including:

• Strategic

• Financial

• Legal and regulatory

• Environmental health and safety

• Information technology

• Fraud

• Human capital

• Reputational

Adding up those factors could lead to a score as high as 24, the highest risk, or as low as eight, the lowest risk.

The higher the score, the greater the risk.

The 12 Buncombe departments that placed in the "high-risk" range received scores of 20-24, according to Internal Audit Department findings in the spreadsheet a full version of which Buncombe provided to the Citizen Times.

The department with the highest risk value was Information Technology, which scored a 23.

The department with the second highest risk score was the Sheriff's Office, which scored a 22.

Related: Buncombe eyes nearly $400 million for 2023 budget in second-pass work session

Another six departments each scored 21, including Emergency Services, Finance, Health and Human Services, Human Resources, Register of Deeds and Strategic Partnerships.

Four departments scored a 20, including Budget, Intergovernmental Relations, Justice Services and Solid Waste.

Only one department was below a 15, the Clerk to the Board, which scored a 13.

These numbers — generated using county-adopted Committee of Sponsoring Organizations or "COSO" risk-management standards — are what Keister called a "foundation" for the internal audit plan, a tiered strategy that will tackle several "projects" in fiscal year 2023, including a review of information technology general control, cash management and grants management.

"We're looking to determine and assess risk that could prevent the organization from reaching its operational, financial and service-level goals and commitments," Keister told commissioners. "This process shows us our biggest challenges and where we should potentially focus our efforts and resources from a review standpoint."

Coming back from a slump

This new baseline score for departmental risk was presented one year after Buncombe's Internal Audit Department shrank to almost nothing.

After the recent hires of Senior Accounting Technician Candice Searcy and Internal Auditor Paige Anderson — a certified public accountant — the department is up to three employees.

But through most of 2021, it had only one person, Kelly Houston. Former director Trisha Burnett was in her role from Sept. 16, 2019, to June 30, 2021, when she resigned.

For some time, Houston worked as both internal auditor and held a role in the legal department. The department had a space for only two roles for some time, and Houston during late 2021 Audit Committee meetings suggested hiring more positions.

She told committee members at a November meeting that, according to Association of Local Government Auditors — a group defining and informing audit standards and best practices — Buncombe should have eight employees, given the scope of the work it should be performing.

"I'm aware of the ALGA numbers," Keister told the Citizen Times June 9. "I think we're initially building out the program. I'm a new director in this space. So, to me it's important to get the right people in the right seats, start building that program and then work for longevity to be fully to the recommended numbers."

According to meeting notes, staffing and resources both have been issues for the Internal Audit Department for several years.

Management approved budgets for the department since fiscal year 2020 have often been significantly lower than committee asks.

According to a presentation from Houston in November 2021, the department wanted $397,727 for fiscal year 2020 and received $290,370.

In fiscal year 2021 it asked for $638,073 and received $341,744.

In fiscal year 2022 it asked for $746,734 and received $449,504.

This year, according to Keister, the Internal Audit Department has asked for $459,572.

County management has proposed $444,572.

The new budget will be finalized come June 21 when commissioners will vote on approval.

Given the events of 2017-2019 involving Wanda Greene and the fact that the department has not in the past three years received a committee-requested budget, the Citizen Times asked County Manger Avril Pinder her current perspective on supporting the internal audit department with adequate funding, other necessary resources and the liberty to perform its duties.

Buncombe County spokesperson Kassi Day responded on Pinder's behalf, saying the government was "committed to building an Internal Audit team that will strengthen our compliance and ensure we are operating at or above industry standards."

She noted every department and director that is part of the general fund works through a very interactive budget process.

"Departments, commissions, boards, etc., send their requests, and then budget actuals from previous years along with revenue projections are used to refine their requests through a first and second pass to get to a number that we can support with revenues to put forward for Board of Commissioner consideration."

Peer review still in the works

Another yet-to-be addressed issue Houston brought to the Audit Committee's attention in 2021 was the lack of an external "peer review" of the internal audit department, an external examination of an organization's quality control apparatus, in this case, the Internal Audit Department.

Buncombe's Internal Audit Department uses the United States Government Accountability Office's Yellow Book, a set of standards for auditing.

This manual says that a government should complete a peer review every three years.

The county hasn't yet completed a peer review.

Keister said that's going to change and that preparation for a peer review will be part of the new Internal Audit Department charter he'll pass to Board of Commissioners for approval in the coming months.

He said he wants "at least a full year of audit work" under his leadership before moving forward with a peer review.

"It's a longer-term goal," said Audit Committee Chair Kendra Ferguson of the peer review. "We're going to have to see how quickly Dan's department will be able to get up to the standards required to be able to go through a successful peer review. It doesn't make sense to go through the peer review if you're not ready."

Keister in an interview and during discussion with the Audit Committee June 7 said his team is committed to the work ahead. Part of that is still cleaning up from the Wanda Greene scandal.

"How do we attack remediation and how do we make change? That's going to be new for this organization, to be quite frank," he said rhetorically to the Audit Committee, emphasizing the need for a "mechanism" to show what the "most important things" are — namely, the highest risks.

"There were issues with staffing, there were issues with assuring regulation and (that) things were up to standard in the audit department prior to (me) joining," he told the Citizen Times. "That was the reason why they were so aggressive in hiring and taking a national search for my position."

Referencing the issues Houston noted in her 2021 presentation, Keister said "We're only six months into me being here, 5½, and we're working towards it."

Andrew Jones is Buncombe County government and health care reporter for the Asheville Citizen Times, part of the USA TODAY Network. Reach him at @arjonesreports on Facebook and Twitter, 828-226-6203 or arjones@citizentimes.com. Please help support this type of journalism with a subscription to the Citizen Times.

This article originally appeared on Asheville Citizen Times: Inside audit plan activated as 12 Buncombe depts. flagged 'high-risk'