A closer look at who is auditing Maricopa County's election and why it matters
As Maricopa County and the Arizona Senate battle over who should audit the 2020 election results, The Arizona Republic looked into the companies that actually would do the work.
It matters, election consultants say, since these companies will be trusted with material that's typically kept private to keep elections secure.
The county Board of Supervisors hired two firms to conduct its audit, saying they are the only firms that should be trusted because they are the only two accredited by the U.S. Election Assistance Commission to certify voting machines for use in elections in Arizona and across the country.
Yet, this connection alone — that the companies who certified the county's machines are now the ones auditing them — has some questioning whether there is a conflict.
The Republic found no proven connections between the two companies and Dominion Voting Systems, putting to rest one of the most widespread rumors. But The Republic found one of the firm's federal certification expired in 2017, although it remains in "good standing."
The Senate, which hasn't yet hired anyone to oversee its proposed audit, faced its own critics for considering a company with connections to the Trump campaign's efforts to overturn election results.
Elections consultants across the country say the two county-hired firms are probably the best, simply because they have been vetted by the elections commission.
Ben Ptashnik, founder and president of the National Election Defense Coalition, a bipartisan nonprofit that advocates for secure elections, compared giving a random company access to the voting systems to "giving the keys to your house to someone who you don't know."
Commission let certification lapse
Pro V&V and SLI Compliance are the only two firms accredited by the U.S. Election Assistance Commission to certify voting systems.
Voting systems are required to have this type of certification to be used in elections in many states, including in Arizona.
County officials say they did not pursue a public bidding process to choose the companies to do the latest audit because their priority was hiring companies accredited by the commission.
But, faced with “resource challenges” and other issues, the election commission hasn’t audited these two companies in quite a while. The Republic found that Pro V&V’s two-year certificate expired in 2017, and SLI Compliance’s expired last month.
The commission says the companies remain in “good standing” because of a rule that says they will be in good standing as long as they reapply, which both companies have done.
SLI Compliance’s reaccreditation was delayed by COVID-19, according to the commission.
For Pro V&V, reaccreditation was delayed due to a combination of “competing priorities, scheduling challenges, and resource challenges” along with a lack of quorum at the commission, according to Mona Harrington, executive director of the Election Assistance Commission
There are four commissioners, two nominated in 2015 by former President Barack Obama and two nominated in 2019 by former President Donald Trump.
Jack Cobb, co-founder and laboratory director of Pro V&V, provided documentation showing that the commission audited the firm in 2018 and recommended approval of the accreditation, but it never took a final vote. He said he doesn’t know why.
Regardless, Harrington said, the commission is “confident that the integrity of the labs and our voting system certification program has remained strong throughout.”
That’s good news for Maricopa County, since Pro V&V certified the Dominion software the county used in the last election in 2019 — two years after its certificate had expired.
Battle of the ballots: The county is auditing November's election. The Arizona Senate wants to. Which should we trust?
What qualified the county's auditors?
Cobb said he founded Pro V&V in 2011, and it has 12 employees and two contractors.
Cobb said he has been testing voting systems since 2004 for three different laboratories, has served as the “state expert/examiner” for Oregon, Pennsylvania and Virginia, and has performed testing for Georgia and North Carolina.
In a U.S. District Court case out of Georgia, Cobb submitted testimony to the court on his company's work certifying Dominion's software.
The judge wrote in an order last year that Cobb “does not have any specialized expertise in cybersecurity testing or analysis or cybersecurity risk analysis. Further, Mr. Cobb had not personally done any of the security testing referenced in his affidavits.”
Cobb told The Republic he does not claim to be a cybersecurity expert. "I am a voting system test expert," he said.
Cobb said that he was going to be doing the testing in Maricopa County, along with an employee whom he declined to name or give qualifications for.
SLI Compliance has been in business since 1997, according to Kevin Mullally, the company’s vice president of government relations. It is a division of Gaming Laboratories, which has 875 employees, he said.
SLI employees have Certified Information Systems Security Professional and Certified Ethical Hacker certifications, according to Mullally. “We employ senior managers with extensive voting system testing experience and voting system test specialists,” he said.
Using the two certified firms is the only way the county felt comfortable doing the audit, knowing that the companies already had gone through government background checks and that they would be qualified to do a thorough review of the county's systems, said Scott Jarrett, director of election day and emergency voting at the Elections Department.
But Senate President Karen Fann said the fact that the companies doing the audit are the same ones that certified the machines makes her question whether they are the best to do the job.
"You have the fox guarding the hen house," Fann said.
No connections found between county audit firms and Dominion
One rumor has been that the firms were somehow associated with Dominion Voting Systems, the brand of vote tabulation machine and software that the county uses to process ballots.
The Republic could not find any connections between Dominion and the known executives at Pro V&V and SLI Compliance.
Many claims about Dominion machines have been debunked.
Ryan Macias, a former acting director of the voting systems program at the U.S. Election Assistance Commission who specializes in election technology and security, said Pro V&V and SLI Compliance can be trusted because they were checked for conflicts of interest and issues of impropriety as part of getting their accreditation from the commission.
Macias said these companies also should be trusted to do the audit because they are among the few companies with a comprehensive understanding of voting systems and among the few that actually have access to voting systems through their certification.
A company without a complete understanding of all the aspects of the system — including the functionality and the security — should not be trusted to do a comprehensive audit, Macias said.
Giving an outside company access to county's voting systems
The Senate has not yet chosen who will do its audit.
The Senate considered a firm, Allied Security Operations Group, with connections to the Trump campaign's efforts to overturn election results in several states, according to documents the county released recently.
Fann said she is still researching and getting quotes from companies.
Newly elected Maricopa County Recorder Stephen Richer, along with the county supervisors and county election staff, has said that allowing anyone else besides certified companies to access the voting machines and their source code could jeopardize the integrity of voting systems here and across the country.
Ptashnik said allowing a company access to the county's voting systems opens the county up to potential hacking.
"They will know how that system can be hacked in the future," he said.
But Macias said the election community's viewpoints on the secrecy of voting systems are changing.
Whereas before, there was a reluctance by voting machine companies to have certain types of cybersecurity assessments and source code reviews conducted on their systems, the industry has "matured," and this is less of a concern now.
"There are more and more visibilities into the system as we move forward," he said.
Fann said she wants to find one or two good companies or people with "immaculate reputations" that the Senate can trust.
"I have been spending hundreds of hours trying to track people down," she said.
Fann said she talked to officials for the U.S. Election Assistance Commission about this, and they told her that the type of post-auditing work that is being done and being considered here is "breaking new ground," so there aren't really established practices for it.
"This will set the standard moving forward," she said.
Republic reporter Andrew Oxford contributed to this article.
Reach the reporter at firstname.lastname@example.org or at 602-444-8763. Follow her on Twitter @JenAFifield.