To: Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, Department Heads, Chief
Fiscal Officers and Single Audit Liaisons
From: Martin J. Benison, Comptroller
Date: March 25, 2014
Re: Areas of Audit Issues from the 2013 Single Audit – Preparation for 2014
Comptroller Memo FY#2014-22
The Commonwealth’s FY2013 Single Audit has been completed. This year we have noted fewer recurring themes to the findings prepared by KPMG LLP, the independent audit firm. These are described below to allow departments to consider whether changes are needed in preparation for the FY2014 Single Audit, which will be starting soon.
Capital Asset Additions
The recording and capitalization of capital assets has improved significantly over the past several audits. We thank departments for their due diligence and remind you to continue to pay attention to compliance with construction in progress (CIP) and the use of retainage related to capital projects. Departments should pay particular attention to the timeliness of recording capital asset additions in MMARS.
The Office of the Comptroller (CTR) continues its semi-annual review of Capital Assets information in August and February. Please assure that all changes to assets are entered in MMARS as of December 31st and June 30th respectively. These capital asset inventory reviews require the chief fiscal officer to sign-off on the accuracy and completeness of the data recorded in MMARS.
Allowable Costs/ Cost Principles
Also notable is the increased accuracy in Federal Financial Participation claim reimbursements, as well as support for administrative costs and cost allocation plans. As a reminder, all cost allocation plans must be filed on a regular schedule in accordance with federal law or the grant agreement. These plans must first be approved by the Comptroller’s Federal Grant and Cost Allocation Bureau prior to filing with the Federal Government.
The auditors reported the following issues as part of the FY2013 Single Audit. Some resulted in findings and others in management letter comments. The topics below are not specific to any one finding or department. The complete audit results can be found at http://www.mass.gov/osc/publications-and-reports/financial-reports/single-audits.html.
Information Technology System Issues and Data Security
Data in department-managed systems must be protected, especially systems containing personally identifiable information and those that interface with the financial systems, MMARS and HR/CMS. Data should be backed up at least daily and a copy stored at an off-site location. Restoration processes should be tested at least annually to assure that data can be restored from backup media. Data security is everyone’s business no matter what media or system is used. Departments need to assure that all new hires have the proper security to their systems (no more than that needed to complete their duties) and that they are monitored. Personnel who terminate service with the department should have security access and functions cancelled immediately.
The single audit continues to reveal instances of passwords that are not complex, logical access that is too broad and a lack of segregation of duties in change management controls.
Departments must also monitor access to statewide systems (MMARS, HR/CMS, and CIW) on a regular basis to ensure that levels of access are appropriate and proper segregation of duties is in place. The Enterprise Security Policy requires annual certification by the Department Head (by June 30th) and Department Security Officers (by December 31st).
Cost Allocation Plan
Departments are required to follow Public Assistance Cost Allocation Plan (PACAP) procedures which are used to identify, measure, and allocate all costs to each of the programs administered by the Department. An inaccurate or inconsistent allocation methodology or control deficiency allows errors to go undetected in the system. Procedures should be developed by each department to ensure that costs are accurately calculated per the PACAP.
Federal Reporting – The Federal Funding Accountability and Transparency Act (FFATA)
All grant programs have reporting requirements, both financial and non-financial, that are specific to the grant. FFATA reporting is applicable to all grants over $25,000 and requires prime recipients to register in the FFATA Sub-award Reporting System (FSRS) and report additional information on its sub-recipients.
Eligibility Determination for Grant Programs
Nearly every grant requires some form of eligibility for a recipient to receive funds. For example, credentialing criteria, income eligibility or professional licensing may need to be established and verified for vendors or others who receive grant awards. Human service case records must have full documentation in accordance with the grant. Departments must also substantiate this eligibility process. All eligibility determinations must be made in accordance with either a state plan filed with the Federal government, the grant award itself, or General Laws. Evidence must be readily available to prove eligibility.
Sub-recipient monitoring continues to be an issue. When departments are granting federal funds to a sub-recipient, including another state agency, a municipality, or a non-profit (often referred to as "pass-through" funds), the department remains responsible for sufficient oversight of the funds (sub-recipient monitoring) to ensure that the funds are spent in accordance with federal grant requirements. The same oversight responsibility applies regardless of the type of funds granted by a department, even if the funds are earmarked to another entity.