|To:||Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, Department Heads, Chief Fiscal Officers and Single Audit Liaisons|
|From:||Martin J. Benison, Comptroller|
|Date:||April 15, 2010|
|Re:||Areas of Audit Issues from 2009 - Preparation for 2010|
The Commonwealth has completed the FY2009 Statewide Single Audit. There were a number of themes where the Office of the State Auditor and the independent auditor of the Commonwealth, KPMG LLP, had findings on Commonwealth operations. The themes are delineated herein to allow for departments to make a judgment as to whether changes are needed in advance of the FY2010 Single Audit.
The following themes were noted as part of the FY2009 Statewide Single Audit. Some resulted in findings and others in management letter comments. The items below are not specific to any one finding or department. The complete audit results can be found at http://www.mass.gov/osc. Click on "Financial Reports" and then on "Single Audit" to review the reports.
In recognition of the American Recovery and Reinvestment Act (ARRA) funds being received by the Commonwealth, it is especially important that all audit findings are resolved and policies and procedures are adhered to fully. The United States General Accountability Office (GAO) will be engaged in the Commonwealth during the period of revenue and spending under the act and will be checking for many of these issues. Please see the Comptroller of the Commonwealth's home page for additional guidance on ARRA processes and procedures.
Capital Asset Additions
Capitalization of capital assets continues to be an issue. Some departments have recorded capital assets in wrong fiscal years, which generate uneven depreciation expenses for GAAP purposes. To mitigate this, the Office of the Comptroller (CTR) instituted an August and a mid-fiscal year inventory review of capital assets that requires the chief fiscal officer to sign off. Also, our Quality Assurance Bureau is conducting a more in-depth review and analysis of the capital asset process. New reports are in place. Additional and updated policies, procedures and training are forthcoming.
Information that is provided to CTR for receivables and other items to comply with GAAP is very important and should not be taken lightly by a department. If a department does not understand what is required in a GAAP package or for an accrual of revenues, reach out to the Financial Reporting and Analysis Bureau for explanation. Departments need to understand this information to make informed decisions that are then included as part of the audit.
Nearly every grant requires some form of eligibility to receive funds. For example, to receive student financial aid a student is required to be enrolled at an institution of higher education taking a proper amount of classes. Credentialing criteria, income eligibility or professional licensing may need to be established and verified for vendors or other recipients who receive grant awards. For some grants, undocumented aliens or convicted felons cannot receive funds, except for circumstances allowed in the grant. For human services, case records must have full documentation in accordance with the grant. Departments must also have a robust reporting system to substantiate this eligibility process. All eligibility determinations must be made in accordance with either a state plan filed with the Federal government, the grant award itself or General Laws. Audit evidence must be readily available to prove eligibility.
Sub-recipient and Vendor Monitoring
Sub-recipient monitoring continues to be an issue and is heavily emphasized in the awarding of ARRA funds. When departments are granting federal funds to a sub-recipient, including another state agency, a municipality or a non-profit (often erroneously referred to as "pass-through" funds), the department remains responsible for sufficient oversight of the funds (sub-recipient monitoring) to ensure that funds are spent in accordance with federal grant requirements. The same oversight responsibility applies regardless of the type of funds granted by a department, even if the funds are earmarked to another entity.
Vendors also need to be monitored for compliance with ARRA grants. In some cases, certification of payroll needs to occur for each week in which any grant funded work is performed and must be available for audit. Other provisions of ARRA that apply to vendors are included on our website under the ARRA controls and compliance section.
For departments that create or are part of a cost allocation plan, federal law requires that their plans be filed on a regular schedule in accordance with the law or grant agreement. These plans must first be approved by CTR prior to filing with the Federal Government. Documentation that supports these plans, such as random moment time studies and proper individuals / elements being included in allocable costs, must be maintained and reviewed for the impact of organizational changes or their validity. If other agencies are to be charged under the plan, those agencies must be charged timely. For example, termination leave costs are not included in these plans, in accordance with existing policy.
Maintenance of Effort
Many grants contain provisions that require a level of effort to be maintained. This is proven by time sheets, program information or other goals being achieved. For time sheets, the Commonwealth's Human Resources Division has a time and attendance policy that requires time sheets to be approved by a supervisor. The absence of a supervisor's signature does not provide the assurance that payroll expenditures are accurate and valid and the grant program is being properly charged for actual time worked on a program. The ARRA best practices group has posted to our website a suggested format for tracking payroll expenditures by program that is acceptable to demonstrate maintenance of effort.
All grant programs have reporting requirements specific to the grant. These requirements may be financial and non-financial. For financial information, reported amounts need to reconcile to MMARS data. Source documentation, query methodology, policies and procedures need to readily available to personnel responsible for filing the reports so they can be timely and accurate.
Information Technology System Issues and Data Security
It is vitally important that systems that contain personally identifiable records or that process transactions that interface to MMARS be protected. Protection is considered 3-pronged: first, departments should physically restrict access to the hardware/platform on which the systems run. Second, passwords to those systems must require regular changes by users. These passwords should be robust enough to afford a high level of security. Logs of those changes should be kept for auditor review. Third, any migration of system code changes should be done by individuals who do not develop the new system code. Again, management should routinely log all system changes as the actions are taken. Departments must monitor access to statewide systems (MMARS, HR/CMS, and CIW) on a regular basis to ensure that levels of access are appropriate and proper segregation of duties is in place. The enterprise security policy posted on the CTR portal requires annual certification by the Department Head (by June 30) and Department Security Officers (by December 31). Software developer activity should be monitored for changes to code and batch jobs to assure that no changes occur without formal approval from business as well as technical managers.
Data should be backed up at least daily and a copy stored at an off-site location. Restoration processes should be tested at least annually to assure that data can be restored from backup tapes/drives to current.
Finally, data security is everyone's business no matter what media or system is used to collect, manage or store it. Departments need to assure that all new hires have the proper security (no more than that needed to complete their duties) and that they are monitored. Personnel who terminate service with the department should have security access and functions cancelled immediately. If you have any questions, please contact the helpdesk at (617) 973-2468.
The White House Office of Management and Budget (OMB) is drafting the 2010 compliance supplement to Circular A-133 (Single Audit). The supplement is expected to have far more coverage of ARRA awards than 2009 and may focus heavily on aspects of ARRA such as the "Buy American" provisions and the reporting of jobs under Section 1512 of the Act. This new supplement may change the items that the Commonwealth's auditors will require from your department. Once posted on OMB's website, CTR will provide a link on our ARRA website for the updated supplement for your reference as you get ready for the 2010 single audit.