The IG, in coordination with the Audit Committee, develops an annual work plan based on an assessment of relative risks, that identifies areas and processes to be reviewed. In developing the work plan, the IG takes into consideration requests from the planning boards, commissioners, Commission employees, elected officials and members of the public.  The IG has final authority on the completion of work assignments.

The annual work plan is considered a fluid document.  The IG is authorized to adjust the work plan based on OIG resources, new risk factors, and special requests.  Major changes to the work plan require approval from the Audit Committee.

The OIG completes the following types of audits and reviews:

Performance Audits:  Performance audits are completed in accordance with Generally Accepted Government Auditing Standards (GAGAS).  Performance audits provide findings and recommendations based on an evaluation of sufficient, appropriate evidence against criteria.  Within the Commission, performance audits often include a review of internal controls of a Commission facility, process or function (e.g. accounts payable, purchase card), or information systems.

The OIG also completes Follow-Up reviews to ensure management’s responses to audit recommendations have been successfully implemented and audit findings are resolved.

Information System/Information Technology Reviews (IS/IT): IS/IT reviews are considered performance audits and are completed in accordance with GAGAS.  IS/IT reviews may include pre or post implementation audits of Commission applications, review of general IT Controls (e.g. business recovery processes, user account management, etc.), compliance audits (e.g. Payment Card Industry Data Security Standards), or IT process audits.

Fraud, Waste, and Abuse Audit (FWA):   The Annotated Code of Maryland, Section §15-501 includes definitions for fraud, waste, and abuse.  The OIG places the highest priority on evaluating and appropriately responding to allegations of fraud, waste, and abuse.  Commission employees are required to report all suspected instances of fraud, waste, or abuse to the OIG.  This includes suspected security breaches of Personally Identifiable Information (PII). (Please See Commission Practice 3-31, Fraud, Waste, and Abuse).

FWA audits are completed in accordance with the Principles and Standards for Offices of Inspector General.

Management Advisories:  Commission management can request a management advisory review.  The completion of these advisories is based on available resources and identified risks.  Management advisories can include administrative investigations (e.g. review of general internal controls, budgetary analysis, operational review, etc.) 

The depth of these reviews vary significantly resulting in a variety of presentations of the results including a short phone call or email message, a short memorandum, or an extensive memorandum that includes various recommendations. Management Advisories are considered non-audit services.