The Commonwealth has completed the FY2008 Statewide Single Audit. There were a number of themes where the Office of the State Auditor and the independent auditor of the Commonwealth, KPMG LLP, had findings on Commonwealth operations. The themes are delineated herein to allow for departments to make a judgment as to whether changes are needed in advance of the FY2009 Single Audit.
The following themes were noted as part of the FY2008 Statewide Single Audit. Some resulted in findings and others in management letter comments. The items below are not specific to any one finding or department. The complete audit results can be found at http://www.mass.gov/osc. Click on "Financial Reports" and then on "Single Audit."
In recognition of the American Recovery and Reinvestment Act (ARRA), funds being received by the Commonwealth, it is especially important that all audit findings are resolved and policies and procedures are adhered to. The United States General Accountability Office will be engaged in the Commonwealth during the period of revenue and spending under the act and will be checking for many of these issues. Please see the Office of the State Comptroller's home page for special guidance on ARRA processes and procedures.
Fixed Asset Additions
Capitalization of fixed assets continues to be an issue with departments. Departments have put fixed assets in wrong fiscal years, which generate uneven depreciation expenses for GAAP purposes. To mitigate this, the Office of the State Comptroller has initiated a mid-year inventory review and will do an August inventory review of fixed assets that requires a chief fiscal officer sign off. Also our Quality Assurance Bureau is conducting a more in-depth review and analysis of the fixed asset process. We are also working on new reports, policies, procedures and training.
Approval of Personnel Service Costs Charged to Federal Programs
Charges to federal awards for salaries and wages, whether treated as direct or indirect costs, must have proper documentation and approval by a responsible official. Where employees are expected to work solely on a federal award or cost objectives, charges for their salaries and wages also need to be supported by periodic certifications that the employees worked solely on that program for the period covered by the certification. This certification needs to be done at least semi-annually and signed also by a responsible official having first-hand knowledge of the work performed by the employee.
Nearly every grant requires some form of eligibility to receive funds. Among many other things, this may take the form of a student at an institution of higher education being enrolled and taking a proper amount of classes to receive student financial aid. Credentialing criteria, income eligibility or professional licensing may need to be established for some vendors or other recipients who receive grant awards. For some grants, undocumented aliens or convicted felons, or other instances, cannot receive funds, except for circumstances allowed in the grant. For human services, case records must have full documentation in accordance with the grant. All eligibility determinations must be made in accordance with either a state plan filed with the Federal government, the grant award itself or General Laws. Audit evidence must be readily available to prove eligibility.
Sub-recipient monitoring continues to be an issue. When departments are granting federal funds to a sub-recipient, including another state agency, a municipality, or a non-profit (often referred to as "pass-through" funds), the department remains responsible for sufficient oversight of the funds (sub-recipient monitoring) to ensure that the funds are spent in accordance with federal grant requirements. The same oversight responsibility applies regardless of the type of funds granted by a department, even if the funds are earmarked to another entity.
For departments that create or are part of a cost allocation plan, federal law requires that these departmental plans be filed on a regular schedule in accordance with the law or grant agreement. These plans must also be approved with CTR prior to filing with the Federal Government. Documentation that supports these plans such as random moment time studies and proper individuals / elements being included in allocable costs must be kept up to date and reviewed for the impact of organizational changes or their validity. If other agencies are to be charged under the plan, those agencies must be charged timely. For example, termination leave costs are not included in these plans, in accordance with existing policy.
Information Technology Systems Issues and Data Security
It is vitally important that systems that contain personally identifiable records or that process transactions that interface to MMARS be protected. Protection is considered 3-pronged: First, departments should be physically restricting access to the hardware/platform on which the systems run. Second, passwords to those systems need to be regularly and systematically changed. These passwords should be robust enough to afford a high level of security. Logs of those changes should be kept for auditor review. And third, any migration of system code changes should be done by individuals who do not develop the new system code. Again, management should routinely log all system changes as actions are taken. Departments also need to monitor access to statewide systems (MMARS, HR/CMS, and CIW) on a regular basis to ensure that levels of access are appropriate and proper segregation of duties is in place.
Data should be backed up at least daily. Restoration programs should be run at least annually to check to see if data is matching from backup tapes / drives to current data.
Finally, data security is everyone's business no matter what system is used. Departments need to make sure that all new hires have the proper security and that they are monitored. All personnel who terminate service with the Commonwealth should have security access and functions cancelled immediately. If you have any questions, please contact the helpdesk at (617) 973-2468.