Office of the Comptroller Internal Control Overview & Update October 5, 2007
Internal Control Overview & Update AGENDA Welcome Internal Control Overview – –Howard Olsher, Director of State Audits, SAO Revised Internal Control Guide – –Martin Benison, Comptroller, CTR – –Peter Scavotto, Quality Assurance Bureau Director, CTR Questions & Answers
Howard Olsher Office of the State Auditor
Chapter 647 of the Acts of 1989 An Act Relative to Improving Internal Controls At State Departments
Chapter 647 of the Acts of 1989 Modeled after the Federal Managers Financial Integrity Act. Sets forth the minimum level of quality acceptable for internal controls at State Departments for Financial and Program Operations. Internal controls at State Departments should be established in accordance with the guidelines promulgated by the Office of the Comptroller. Applies to all State Departments in all branches of government.
Chapter 647 of the Acts of 1989 Three Parts of the Law Internal Control Standards Management’s Responsibility (State Departments) Reporting all unaccounted for variances, losses, shortages and theft of funds or property to the Office of the State Auditor.
Part I of Chapter 647 Internal Control Standards 1) 1)Documentation of Internal Control Structure. 2) 2)Transactions promptly recorded, clearly documented and properly classified throughout the lifecycle of the transaction and event. 3) 3)Transactions should be authorized and executed by persons acting within the scope of their authority. 4) 4)Key duties and responsibilities should be segregated for all financial transactions in order to allow for adequate checks and balances. 5) 5)Access to resources only to authorized individuals. 6) 6)Periodic comparison between resources and recorded accountability of resources. 7) 7)Qualified and continuous supervision should be provided to all staff to ensure that internal control objectives are achieved.
Part II of Chapter 647 Management’s Responsibility The Legislation requires that an Official, equivalent in title to an assistant or deputy to the department head (in addition to his/her regular duties) has the responsibility to ensure that: (1)Written documentation of its internal accounting and administrative control system is on file for review by: Office of the State Auditor Office of the Comptroller Office of the Secretary for Administration and Finance (2)Internal Control Structure is evaluated annually or as conditions warrant. (3)Audit recommendations promptly evaluated and corrective action taken by Management. (4)Corrective action is addressed in Management’s budget request to the Legislature.
Part III of Chapter 647 Reporting to the Office of the State Auditor Departments’ Responsibility: (1)All unaccounted for variances, losses, shortages, or thefts of funds or property shall be reported immediately to the Office of the State Auditor. (2)Based on the OSA’s recommendations, Department management is responsible to immediately implement policies and procedures necessary to prevent a reoccurrence of the condition. Office of the State Auditor’s Responsibility: (1) (1)Review the condition to determine amounts involved and report the facts surrounding the condition to the appropriate management and law enforcement officials. (2)Determine the internal control weaknesses that contributed to or caused the condition and make the necessary recommendations to management to correct the internal control weaknesses.
Internal Control Campaign Internal Control Legislation (Chapter 647 of the Acts of 1989) Partnership – –Office of the Comptroller » »Independent department within the Executive Branch » »Increase the efficiency of department financial operations across state government thereby enhancing its delivery of services while ensuring a high level of accountability throughout the Commonwealth’s fiscal operations. – –Office of the State Auditor » »Independent constitutional office within the Commonwealth. » »A catalyst for good government by promoting economy, efficiency, and effectiveness in state government.
Internal Control Campaign (Cont) Internal Control Campaign Objectives – –To increase departments’ awareness of and the importance of Internal Controls. – –To educate departments on internal controls and how they affect department financial and programmatic operations. – –To assist departments and give guidance on the development of an internal control plan. – –To assist departments and give guidance on assessing risks of their operation in order to determine if they have the proper internal controls in place to mitigate risks.
Internal Control Campaign (Cont) Departments are at the point where they understand the importance and concepts of internal controls. Fiscal and Program Managers should view their Internal Control Plan and Risk Assessment as an Insurance Policy.
Office of the State Auditor Audit Approach To Internal Controls Chapter 11, Section 12 of the General Laws Generally Accepted Government Auditing Standards (GAGAS) GAGAS requires a study and evaluation of internal controls OSA audit tests and procedures are based on the study and evaluation of internal controls Review the Department Internal Control Plan Review the Department Risk Assessment Determine if identified risks are taken into consideration in the Internal Control Plan Use and rely on the CTR Internal Control Guide Guide/Reference Document Criteria for audit results
Martin Benison Office of the Comptroller
Office of the Comptroller’s Mission Statement To increase the efficiency of back office operations across state government, thereby enhancing its delivery of services while ensuring a high level of accountability throughout the Commonwealth's financial operations and providing taxpayers assurance that tax dollars are spent for their intended purposes.
A Series of Reliances Treasury Governor's Council Comptroller Department Head Staff Policy, Procedure Internal Controls Warrant Treasury Governor
Peter Scavotto Office of the Comptroller
New Internal Control Guide 1. How did we get here? 2. Status of Internal Control Plans today? 3. Where do we want to go? 4. What do Departments need to do? 5. How can we help?
Previous Guidance Early 90’s: Issued first Internal Control Guide Early 90’s: Issued first Internal Control Guide 1999: Issued Volume 1 – Internal Control Guide for Managers 1999: Issued Volume 1 – Internal Control Guide for Managers 2001: Issued Volume 2 – Internal Control Guide for Departments 2001: Issued Volume 2 – Internal Control Guide for Departments
Previous Guidance 2004: Issued Policy on Internal Control and updated guides with launch of NewMMARS 2004: Issued Policy on Internal Control and updated guides with launch of NewMMARS 2005: Established Quality Assurance Bureau; Quality Assurance Review Process 2005: Established Quality Assurance Bureau; Quality Assurance Review Process
Status of Internal Control Plans Does every agency have a plan? Does every agency have a plan? ICQ: Document internal controls? Yes: 144No: 2 Do they update them? Do they update them? ICQ: …within past year or when warranted? Yes: 138No: 8
What we see: Control activities are documented Control activities are documented All plans need continuous work All plans need continuous work
Plans Are: Not always based on a Risk Assessment Not always based on a Risk Assessment Not always a comprehensive assessment of all aspects of department business Not always a comprehensive assessment of all aspects of department business
Plans Are: Sometimes a compilation of fiscal policies/procedures only – Sometimes a compilation of fiscal policies/procedures only – These are OK for the lower level detail that supports the plan
Where do we want to go? Plans based on Enterprise Risk Management (ERM) Plans based on Enterprise Risk Management (ERM) All programs and activities included All programs and activities included Summarized Summarized Referencing supporting procedures documented elsewhere Referencing supporting procedures documented elsewhere Updated as often as necessary (change), but 1/yr minimum Updated as often as necessary (change), but 1/yr minimum
Enterprise Risk Management Goals Risk Management Business Units
ERM Components Internal Environment Internal Environment tone of the organization Objective Setting Objective Setting support the mission; needed before risk events can be identified
ERM Components Event Identification Event Identification affect achievement of objectives; internal and external Risk Assessment Risk Assessment analyze for likelihood of occurrence; impact if they do occur
ERM Components Risk Response Risk Response avoidaccept reduceshare Control Activities Control Activities policies/procedures are implemented to ensure risk responses are carried out
ERM Components Information and Communication Information and Communication flows down, across and up; enables people to carry out their responsibilities Monitoring Monitoring ongoing activities evaluated; modifications made as necessary
What do Departments need to do? Evaluate mission and goals/objectives Evaluate mission and goals/objectives Involve all managers to cover all programs/activities Involve all managers to cover all programs/activities ID events that threaten success ID events that threaten success ID risk level (occurrence and severity) ID risk level (occurrence and severity) ID controls to mitigate risk ID controls to mitigate risk
What do Departments need to do? Summarize into a plan Summarize into a plan Implement daily activities to support controls Implement daily activities to support controls Share the plan Share the plan Monitor the plan Monitor the plan –test transactions –adjust activities if objectives change
Who’s Involved? Department Head Department Head Senior Staff Senior Staff Fiscal and Program Managers Fiscal and Program Managers Line Staff Line Staff OSA, CTR, ANF OSA, CTR, ANF Internal Audit Internal Audit
How can we help? Revised guide stressing ERM Revised guide stressing ERM Policies on Web Policies on Web Training workshops once/month Training workshops once/month QA reviews to critique plans QA reviews to critique plans Internal Control Questionnaire Internal Control Questionnaire Templates to collect information Templates to collect information
Risk Assessment Template Risk Assessment Template
Risk Inventory
Benefits of a Good Plan Focus on the Right Stuff (day-to-day) Focus on the Right Stuff (day-to-day) Effectiveness and Efficiency Effectiveness and Efficiency Basis for CTR’s Series of Reliance's Basis for CTR’s Series of Reliance's Accurate Financial Reporting Accurate Financial Reporting Ties to Internal Control Questionnaire Ties to Internal Control Questionnaire Compliance Compliance Accomplish Your Goals and Objectives All in Order To:
Wrap Up Evaluate Your Plan Evaluate Your Plan Widen the Scope – all programs/activities Widen the Scope – all programs/activities Do a Risk Assessment – ERM Principles Do a Risk Assessment – ERM Principles Refer to detailed procedures Refer to detailed procedures Summarize the Plan Summarize the Plan Update when necessary and each year Update when necessary and each year
Plan Impact Examples EXECUTIVE ORDER NO. 481 ORDER PROHIBITING THE USE OF UNDOCUMENTED WORKERS ON STATE CONTRACTS EXECUTIVE ORDER NO. 484 LEADING BY EXAMPLE—CLEAN ENERGY AND EFFICIENT BUILDINGS MMARS Policy: Payroll Public Records Exemption An Act Relative to Security Freezes and Notification of Data Breaches Chapter 82 of the Acts of 2007 The Identity Theft Bill and State CIOS CIO Meeting September 26, 2007 Thursday, October 4, 2007 Data for 450,000 mistakenly released Social Security numbers on disks (Boston.com) © Copyright 2007 Globe Newspaper Company.