Office of the Comptroller Internal Control Overview & Update October 5, 2007.

Office of the ComptrollerOffice of the Comptroller

Internal Control Overview Internal Control Overview & Update& Update

October 5, 2007October 5, 2007

Internal Control Overview & UpdateInternal Control Overview & Update

AGENDA

Welcome

Internal Control Overview– Howard Olsher, Director of State Audits, SAO

Revised Internal Control Guide– Martin Benison, Comptroller, CTR– Peter Scavotto, Quality Assurance Bureau

Director, CTR

Questions & Answers

Howard Olsher

Office of the State Auditor

Chapter 647 of the Acts of 1989

An Act Relative toImproving Internal Controls

At State Departments

Chapter 647 of theActs of 1989

Modeled after the Federal Managers Financial Integrity Act.

Sets forth the minimum level of quality acceptable for internal controls at State Departments for Financial and Program Operations.

Internal controls at State Departments should be established in accordance with the guidelines promulgated by the Office of the Comptroller.

Applies to all State Departments in all branches of government.

Chapter 647 of the Acts of 1989Three Parts of the Law

Internal Control Standards

Management’s Responsibility (State Departments)

Reporting all unaccounted for variances, losses, shortages and theft of funds or property to the Office of the State Auditor.

Part I of Chapter 647 Internal Control Standards

1) Documentation of Internal Control Structure.2) Transactions promptly recorded, clearly documented and

properly classified throughout the lifecycle of the transaction and event.

3) Transactions should be authorized and executed by persons acting within the scope of their authority.

4) Key duties and responsibilities should be segregated for all financial transactions in order to allow for adequate checks and balances.

5) Access to resources only to authorized individuals.6) Periodic comparison between resources and recorded

accountability of resources.7) Qualified and continuous supervision should be provided

to all staff to ensure that internal control objectives are achieved.

Part II of Chapter 647Management’s Responsibility

The Legislation requires that an Official, equivalent in title to an assistant or deputy to the department head (in addition to his/her regular duties) has the responsibility to ensure that:

(1) Written documentation of its internal accounting and administrative control system is on file for review by: Office of the State Auditor Office of the Comptroller Office of the Secretary for Administration and Finance   

(2) Internal Control Structure is evaluated annually or as conditions warrant.

(3) Audit recommendations promptly evaluated and corrective action taken by Management.

(4) Corrective action is addressed in Management’s budget request to the Legislature.

Part III of Chapter 647Reporting to the Office of the State Auditor

Departments’ Responsibility:(1)All unaccounted for variances, losses, shortages, or thefts of funds or

property shall be reported immediately to the Office of the State Auditor.

(2)Based on the OSA’s recommendations, Department management is responsible to immediately implement policies and procedures necessary to prevent a reoccurrence of the condition.

Office of the State Auditor’s Responsibility:(1)Review the condition to determine amounts involved and report the facts

surrounding the condition to the appropriate management and law enforcement officials.

(2)Determine the internal control weaknesses that contributed to or caused the condition and make the necessary recommendations to management to correct the internal control weaknesses.

Internal Control Campaign

Internal Control Legislation (Chapter 647 of the Acts of 1989)

Partnership– Office of the Comptroller

» Independent department within the Executive Branch» Increase the efficiency of department financial operations

across state government thereby enhancing its delivery of services while ensuring a high level of accountability throughout the Commonwealth’s fiscal operations.

– Office of the State Auditor» Independent constitutional office within the Commonwealth.» A catalyst for good government by promoting economy,

efficiency, and effectiveness in state government.

Internal Control Campaign (Cont)

Internal Control Campaign Objectives– To increase departments’ awareness of and the

importance of Internal Controls.– To educate departments on internal controls and

how they affect department financial and programmatic operations.

– To assist departments and give guidance on the development of an internal control plan.

– To assist departments and give guidance on assessing risks of their operation in order to determine if they have the proper internal controls in place to mitigate risks.

Internal Control Campaign (Cont)

Departments are at the point where they understand the importance and concepts of internal controls.

Fiscal and Program Managers should view their Internal Control Plan and Risk Assessment as an Insurance Policy.

Office of the State Auditor Audit Approach To Internal Controls

Chapter 11, Section 12 of the General Laws• Generally Accepted Government Auditing Standards

(GAGAS) GAGAS requires a study and evaluation of internal

controls OSA audit tests and procedures are based on the study and

evaluation of internal controls Review the Department Internal Control Plan Review the Department Risk Assessment Determine if identified risks are taken into consideration in

the Internal Control Plan Use and rely on the CTR Internal Control Guide

• Guide/Reference Document• Criteria for audit results

Martin BenisonMartin Benison

Office of the ComptrollerOffice of the Comptroller

Office of the Office of the Comptroller’sComptroller’sMission StatementMission Statement

To increase the efficiency of back office To increase the efficiency of back office operations across state government, operations across state government, thereby enhancing its delivery of thereby enhancing its delivery of services while ensuring a high level of services while ensuring a high level of accountability throughout the accountability throughout the Commonwealth's financial operations Commonwealth's financial operations and providing taxpayers assurance that and providing taxpayers assurance that tax dollars are spent for their intended tax dollars are spent for their intended purposes. purposes.

A Series of ReliancesA Series of Reliances

TreasuryGovernor's

Council

Comptroller

Department Head

StaffPolicy, ProcedureInternal Controls

WarrantTreasury

Governor

Peter ScavottoPeter Scavotto

Office of the ComptrollerOffice of the Comptroller

New Internal Control New Internal Control GuideGuide

1.1. How did we get here?How did we get here?

2.2. Status of Internal Control Plans Status of Internal Control Plans today?today?

3.3. Where do we want to go?Where do we want to go?

4.4. What do Departments need to What do Departments need to do?do?

5.5. How can we help?How can we help?

Previous GuidancePrevious Guidance

Early 90’s: Issued first Internal Early 90’s: Issued first Internal Control GuideControl Guide

1999: Issued Volume 1 – Internal 1999: Issued Volume 1 – Internal Control Guide for ManagersControl Guide for Managers

2001: Issued Volume 2 – Internal 2001: Issued Volume 2 – Internal Control Guide for DepartmentsControl Guide for Departments

Previous GuidancePrevious Guidance

2004: Issued Policy on Internal 2004: Issued Policy on Internal Control and updated guides with Control and updated guides with launch of NewMMARSlaunch of NewMMARS

2005: Established Quality 2005: Established Quality Assurance Bureau; Quality Assurance Bureau; Quality Assurance Review ProcessAssurance Review Process

Status of Internal Control Status of Internal Control PlansPlans

Does every agency have a plan?Does every agency have a plan?

ICQ: Document internal controls?ICQ: Document internal controls?

Yes: 144Yes: 144 No: 2No: 2

Do they update them?Do they update them?

ICQ: …within past year or when ICQ: …within past year or when warranted?warranted?

Yes: 138Yes: 138 No: 8No: 8

What we see:What we see:

Control activities are documentedControl activities are documented

All plans need continuous workAll plans need continuous work

Plans Are:Plans Are:

Not always based on a Risk Not always based on a Risk AssessmentAssessment

Not always a comprehensive Not always a comprehensive assessment of all aspects of assessment of all aspects of department businessdepartment business

Plans Are:Plans Are:

Sometimes a compilation of fiscal Sometimes a compilation of fiscal policies/procedures only –policies/procedures only –

These are OK for the lower level detail These are OK for the lower level detail that supports the planthat supports the plan

Where do we want to Where do we want to go?go?

Plans based on Enterprise Risk Plans based on Enterprise Risk Management (ERM)Management (ERM)

All programs and activities includedAll programs and activities included SummarizedSummarized Referencing supporting procedures Referencing supporting procedures

documented elsewheredocumented elsewhere Updated as often as necessary Updated as often as necessary

(change), but 1/yr minimum(change), but 1/yr minimum

Enterprise Risk Enterprise Risk ManagementManagement

Goals

Risk Management

Business Units

ERM ComponentsERM Components

Internal Environment Internal Environment tone of the organizationtone of the organization

Objective SettingObjective Settingsupport the mission;support the mission;

needed needed beforebefore risk events can be risk events can be identifiedidentified

ERM ComponentsERM Components

Event IdentificationEvent Identificationaffect achievement of objectives;affect achievement of objectives;

internal and externalinternal and external

Risk AssessmentRisk Assessmentanalyze for likelihood of occurrence;analyze for likelihood of occurrence;

impact if they do occurimpact if they do occur

ERM ComponentsERM Components

Risk ResponseRisk Response

avoidavoid acceptaccept

reducereduce shareshare

Control ActivitiesControl Activitiespolicies/procedures are policies/procedures are implemented to ensure risk implemented to ensure risk responses are carried outresponses are carried out

ERM ComponentsERM Components

Information and CommunicationInformation and Communicationflows down, across and up;flows down, across and up;enables people to carry out their enables people to carry out their

responsibilitiesresponsibilities

MonitoringMonitoringongoing activities evaluated;ongoing activities evaluated;modifications made as necessarymodifications made as necessary

What do Departments What do Departments need to do?need to do? Evaluate mission and Evaluate mission and

goals/objectivesgoals/objectives Involve all managers to cover all Involve all managers to cover all

programs/activitiesprograms/activities ID events that threaten successID events that threaten success ID risk level (occurrence and ID risk level (occurrence and

severity)severity) ID controls to mitigate riskID controls to mitigate risk

What do Departments What do Departments need to do?need to do? Summarize into a planSummarize into a plan Implement daily activities to Implement daily activities to

support controlssupport controls Share the planShare the plan Monitor the planMonitor the plan

– test transactionstest transactions– adjust activities if objectives changeadjust activities if objectives change

Who’s Involved?Who’s Involved?

Department HeadDepartment Head Senior StaffSenior Staff Fiscal and Program ManagersFiscal and Program Managers Line StaffLine Staff OSA, CTR, ANFOSA, CTR, ANF Internal AuditInternal Audit

How can we help?How can we help?

Revised guide stressing ERMRevised guide stressing ERM Policies on WebPolicies on Web Training workshops once/monthTraining workshops once/month QA reviews to critique plansQA reviews to critique plans Internal Control QuestionnaireInternal Control Questionnaire Templates to collect informationTemplates to collect information

Risk Assessment TRisk Assessment Templateemplate

Risk InventoryRisk Inventory

Item Risk Event Occurrence Impact Control Control Type ReferenceV=Very Likely H=High P=Preventative

S=Somewhat Likely M=Moderate D=Detective

U=Unlikely L=Low

Bldg -100 Unauthorized site access S H Photo ID Required P Property Management

Six sites all sites Procedures Manual

Benefits of a Good Benefits of a Good PlanPlan Focus on the Right Stuff (day-to-day)Focus on the Right Stuff (day-to-day) Effectiveness and EfficiencyEffectiveness and Efficiency Basis for CTR’s Series of Reliance'sBasis for CTR’s Series of Reliance's Accurate Financial ReportingAccurate Financial Reporting Ties to Internal Control QuestionnaireTies to Internal Control Questionnaire ComplianceCompliance

Accomplish Your Goals and Objectives

All in Order To:All in Order To:

Wrap UpWrap Up

Evaluate Your Plan Evaluate Your Plan Widen the Scope – all Widen the Scope – all

programs/activitiesprograms/activities Do a Risk Assessment – ERM PrinciplesDo a Risk Assessment – ERM Principles Refer to detailed proceduresRefer to detailed procedures Summarize the Plan Summarize the Plan Update when necessary and each yearUpdate when necessary and each year

Plan Impact ExamplesPlan Impact Examples

EXECUTIVE ORDER NO. 481ORDER PROHIBITING THE USE OF

UNDOCUMENTED WORKERS ON STATE CONTRACTS

EXECUTIVE ORDER NO.  484LEADING BY EXAMPLE—CLEAN ENERGY

AND EFFICIENT BUILDINGS

MMARS Policy: Payroll Public Records ExemptionAn Act Relative to Security Freezes and Notification of Data BreachesChapter 82 of the Acts of 2007

The Identity Theft Bill and State CIOSCIO Meeting

September 26, 2007

Thursday, October 4, 2007Data for 450,000 mistakenly released

Social Security numbers on disks(Boston.com) © Copyright 2007 Globe Newspaper Company.