Office of the Office of the Comptroller Comptroller Internal Control Internal Control Overview & Update Overview & Update October 5, 2007 October 5, 2007
Dec 26, 2015
Office of the ComptrollerOffice of the Comptroller
Internal Control Overview Internal Control Overview & Update& Update
October 5, 2007October 5, 2007
Internal Control Overview & UpdateInternal Control Overview & Update
AGENDA
Welcome
Internal Control Overview– Howard Olsher, Director of State Audits, SAO
Revised Internal Control Guide– Martin Benison, Comptroller, CTR– Peter Scavotto, Quality Assurance Bureau
Director, CTR
Questions & Answers
Chapter 647 of theActs of 1989
Modeled after the Federal Managers Financial Integrity Act.
Sets forth the minimum level of quality acceptable for internal controls at State Departments for Financial and Program Operations.
Internal controls at State Departments should be established in accordance with the guidelines promulgated by the Office of the Comptroller.
Applies to all State Departments in all branches of government.
Chapter 647 of the Acts of 1989Three Parts of the Law
Internal Control Standards
Management’s Responsibility (State Departments)
Reporting all unaccounted for variances, losses, shortages and theft of funds or property to the Office of the State Auditor.
Part I of Chapter 647 Internal Control Standards
1) Documentation of Internal Control Structure.2) Transactions promptly recorded, clearly documented and
properly classified throughout the lifecycle of the transaction and event.
3) Transactions should be authorized and executed by persons acting within the scope of their authority.
4) Key duties and responsibilities should be segregated for all financial transactions in order to allow for adequate checks and balances.
5) Access to resources only to authorized individuals.6) Periodic comparison between resources and recorded
accountability of resources.7) Qualified and continuous supervision should be provided
to all staff to ensure that internal control objectives are achieved.
Part II of Chapter 647Management’s Responsibility
The Legislation requires that an Official, equivalent in title to an assistant or deputy to the department head (in addition to his/her regular duties) has the responsibility to ensure that:
(1) Written documentation of its internal accounting and administrative control system is on file for review by: Office of the State Auditor Office of the Comptroller Office of the Secretary for Administration and Finance
(2) Internal Control Structure is evaluated annually or as conditions warrant.
(3) Audit recommendations promptly evaluated and corrective action taken by Management.
(4) Corrective action is addressed in Management’s budget request to the Legislature.
Part III of Chapter 647Reporting to the Office of the State Auditor
Departments’ Responsibility:(1)All unaccounted for variances, losses, shortages, or thefts of funds or
property shall be reported immediately to the Office of the State Auditor.
(2)Based on the OSA’s recommendations, Department management is responsible to immediately implement policies and procedures necessary to prevent a reoccurrence of the condition.
Office of the State Auditor’s Responsibility:(1)Review the condition to determine amounts involved and report the facts
surrounding the condition to the appropriate management and law enforcement officials.
(2)Determine the internal control weaknesses that contributed to or caused the condition and make the necessary recommendations to management to correct the internal control weaknesses.
Internal Control Campaign
Internal Control Legislation (Chapter 647 of the Acts of 1989)
Partnership– Office of the Comptroller
» Independent department within the Executive Branch» Increase the efficiency of department financial operations
across state government thereby enhancing its delivery of services while ensuring a high level of accountability throughout the Commonwealth’s fiscal operations.
– Office of the State Auditor» Independent constitutional office within the Commonwealth.» A catalyst for good government by promoting economy,
efficiency, and effectiveness in state government.
Internal Control Campaign (Cont)
Internal Control Campaign Objectives– To increase departments’ awareness of and the
importance of Internal Controls.– To educate departments on internal controls and
how they affect department financial and programmatic operations.
– To assist departments and give guidance on the development of an internal control plan.
– To assist departments and give guidance on assessing risks of their operation in order to determine if they have the proper internal controls in place to mitigate risks.
Internal Control Campaign (Cont)
Departments are at the point where they understand the importance and concepts of internal controls.
Fiscal and Program Managers should view their Internal Control Plan and Risk Assessment as an Insurance Policy.
Office of the State Auditor Audit Approach To Internal Controls
Chapter 11, Section 12 of the General Laws• Generally Accepted Government Auditing Standards
(GAGAS) GAGAS requires a study and evaluation of internal
controls OSA audit tests and procedures are based on the study and
evaluation of internal controls Review the Department Internal Control Plan Review the Department Risk Assessment Determine if identified risks are taken into consideration in
the Internal Control Plan Use and rely on the CTR Internal Control Guide
• Guide/Reference Document• Criteria for audit results
Office of the Office of the Comptroller’sComptroller’sMission StatementMission Statement
To increase the efficiency of back office To increase the efficiency of back office operations across state government, operations across state government, thereby enhancing its delivery of thereby enhancing its delivery of services while ensuring a high level of services while ensuring a high level of accountability throughout the accountability throughout the Commonwealth's financial operations Commonwealth's financial operations and providing taxpayers assurance that and providing taxpayers assurance that tax dollars are spent for their intended tax dollars are spent for their intended purposes. purposes.
A Series of ReliancesA Series of Reliances
TreasuryGovernor's
Council
Comptroller
Department Head
StaffPolicy, ProcedureInternal Controls
WarrantTreasury
Governor
New Internal Control New Internal Control GuideGuide
1.1. How did we get here?How did we get here?
2.2. Status of Internal Control Plans Status of Internal Control Plans today?today?
3.3. Where do we want to go?Where do we want to go?
4.4. What do Departments need to What do Departments need to do?do?
5.5. How can we help?How can we help?
Previous GuidancePrevious Guidance
Early 90’s: Issued first Internal Early 90’s: Issued first Internal Control GuideControl Guide
1999: Issued Volume 1 – Internal 1999: Issued Volume 1 – Internal Control Guide for ManagersControl Guide for Managers
2001: Issued Volume 2 – Internal 2001: Issued Volume 2 – Internal Control Guide for DepartmentsControl Guide for Departments
Previous GuidancePrevious Guidance
2004: Issued Policy on Internal 2004: Issued Policy on Internal Control and updated guides with Control and updated guides with launch of NewMMARSlaunch of NewMMARS
2005: Established Quality 2005: Established Quality Assurance Bureau; Quality Assurance Bureau; Quality Assurance Review ProcessAssurance Review Process
Status of Internal Control Status of Internal Control PlansPlans
Does every agency have a plan?Does every agency have a plan?
ICQ: Document internal controls?ICQ: Document internal controls?
Yes: 144Yes: 144 No: 2No: 2
Do they update them?Do they update them?
ICQ: …within past year or when ICQ: …within past year or when warranted?warranted?
Yes: 138Yes: 138 No: 8No: 8
What we see:What we see:
Control activities are documentedControl activities are documented
All plans need continuous workAll plans need continuous work
Plans Are:Plans Are:
Not always based on a Risk Not always based on a Risk AssessmentAssessment
Not always a comprehensive Not always a comprehensive assessment of all aspects of assessment of all aspects of department businessdepartment business
Plans Are:Plans Are:
Sometimes a compilation of fiscal Sometimes a compilation of fiscal policies/procedures only –policies/procedures only –
These are OK for the lower level detail These are OK for the lower level detail that supports the planthat supports the plan
Where do we want to Where do we want to go?go?
Plans based on Enterprise Risk Plans based on Enterprise Risk Management (ERM)Management (ERM)
All programs and activities includedAll programs and activities included SummarizedSummarized Referencing supporting procedures Referencing supporting procedures
documented elsewheredocumented elsewhere Updated as often as necessary Updated as often as necessary
(change), but 1/yr minimum(change), but 1/yr minimum
ERM ComponentsERM Components
Internal Environment Internal Environment tone of the organizationtone of the organization
Objective SettingObjective Settingsupport the mission;support the mission;
needed needed beforebefore risk events can be risk events can be identifiedidentified
ERM ComponentsERM Components
Event IdentificationEvent Identificationaffect achievement of objectives;affect achievement of objectives;
internal and externalinternal and external
Risk AssessmentRisk Assessmentanalyze for likelihood of occurrence;analyze for likelihood of occurrence;
impact if they do occurimpact if they do occur
ERM ComponentsERM Components
Risk ResponseRisk Response
avoidavoid acceptaccept
reducereduce shareshare
Control ActivitiesControl Activitiespolicies/procedures are policies/procedures are implemented to ensure risk implemented to ensure risk responses are carried outresponses are carried out
ERM ComponentsERM Components
Information and CommunicationInformation and Communicationflows down, across and up;flows down, across and up;enables people to carry out their enables people to carry out their
responsibilitiesresponsibilities
MonitoringMonitoringongoing activities evaluated;ongoing activities evaluated;modifications made as necessarymodifications made as necessary
What do Departments What do Departments need to do?need to do? Evaluate mission and Evaluate mission and
goals/objectivesgoals/objectives Involve all managers to cover all Involve all managers to cover all
programs/activitiesprograms/activities ID events that threaten successID events that threaten success ID risk level (occurrence and ID risk level (occurrence and
severity)severity) ID controls to mitigate riskID controls to mitigate risk
What do Departments What do Departments need to do?need to do? Summarize into a planSummarize into a plan Implement daily activities to Implement daily activities to
support controlssupport controls Share the planShare the plan Monitor the planMonitor the plan
– test transactionstest transactions– adjust activities if objectives changeadjust activities if objectives change
Who’s Involved?Who’s Involved?
Department HeadDepartment Head Senior StaffSenior Staff Fiscal and Program ManagersFiscal and Program Managers Line StaffLine Staff OSA, CTR, ANFOSA, CTR, ANF Internal AuditInternal Audit
How can we help?How can we help?
Revised guide stressing ERMRevised guide stressing ERM Policies on WebPolicies on Web Training workshops once/monthTraining workshops once/month QA reviews to critique plansQA reviews to critique plans Internal Control QuestionnaireInternal Control Questionnaire Templates to collect informationTemplates to collect information
Risk InventoryRisk Inventory
Item Risk Event Occurrence Impact Control Control Type ReferenceV=Very Likely H=High P=Preventative
S=Somewhat Likely M=Moderate D=Detective
U=Unlikely L=Low
Bldg -100 Unauthorized site access S H Photo ID Required P Property Management
Six sites all sites Procedures Manual
Benefits of a Good Benefits of a Good PlanPlan Focus on the Right Stuff (day-to-day)Focus on the Right Stuff (day-to-day) Effectiveness and EfficiencyEffectiveness and Efficiency Basis for CTR’s Series of Reliance'sBasis for CTR’s Series of Reliance's Accurate Financial ReportingAccurate Financial Reporting Ties to Internal Control QuestionnaireTies to Internal Control Questionnaire ComplianceCompliance
Accomplish Your Goals and Objectives
All in Order To:All in Order To:
Wrap UpWrap Up
Evaluate Your Plan Evaluate Your Plan Widen the Scope – all Widen the Scope – all
programs/activitiesprograms/activities Do a Risk Assessment – ERM PrinciplesDo a Risk Assessment – ERM Principles Refer to detailed proceduresRefer to detailed procedures Summarize the Plan Summarize the Plan Update when necessary and each yearUpdate when necessary and each year
Plan Impact ExamplesPlan Impact Examples
EXECUTIVE ORDER NO. 481ORDER PROHIBITING THE USE OF
UNDOCUMENTED WORKERS ON STATE CONTRACTS
EXECUTIVE ORDER NO. 484LEADING BY EXAMPLE—CLEAN ENERGY
AND EFFICIENT BUILDINGS
MMARS Policy: Payroll Public Records ExemptionAn Act Relative to Security Freezes and Notification of Data BreachesChapter 82 of the Acts of 2007
The Identity Theft Bill and State CIOSCIO Meeting
September 26, 2007
Thursday, October 4, 2007Data for 450,000 mistakenly released
Social Security numbers on disks(Boston.com) © Copyright 2007 Globe Newspaper Company.