|To:||Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, Department Heads, Chief Fiscal Officers and Single Audit Liaisons|
|From:||Martin J. Benison, Comptroller|
|Date:||April 21, 2011|
|Re:||Areas of Audit Issues from 2010 - Preparation for 2011||Comptroller Memo|
The Commonwealth's FY2010 Statewide Single Audit has been completed. We have noted several recurring themes to the findings prepared by the Office of the State Auditor and KPMG LLP, the independent audit firm. These are described below to allow departments to consider whether changes are needed in preparation for the FY2011 Single Audit, which will be starting soon.
The auditors noted the following issues as part of the FY2010 Statewide Single Audit. Some resulted in findings and others in management letter comments. The topics below are not specific to any one finding or department. The complete audit results can be found on the Single Audit page of the CTR Web Portal..
In recognition of the American Recovery and Reinvestment Act (ARRA) funds being received by the Commonwealth, it is especially important that departments resolve all audit findings and comply with all policies and procedures. The United States General Accountability Office (GAO) will be checking for many of these issues. Please see the Comptroller of the Commonwealth's home page for additional guidance on ARRA processes and procedures.
Internal Control Accountability
Both Commonwealth and Federal laws require that departments develop and use internal controls to provide reasonable assurance of reliable reports, effective and efficient operations, mitigation of risks and compliance with laws and regulations. To fulfill this requirement, departments must ensure that all department business is appropriately authorized and that this authorization is documented. For example, authorized personnel must review and approve invoices before they are paid to ensure costs are appropriate; time sheets must be approved by a supervisor. Without an authorized signature, the department cannot prove that the federal grant or program was charged properly.
All grant programs have reporting requirements, both financial and non-financial, that are specific to the grant. Financial information must reconcile to MMARS. Source documentation, query methodology, policies, and procedures need to be readily available to personnel responsible for filing the reports so they can be timely and accurate.
Capital Asset Additions
Capitalization of fixed assets continues to be an issue. Departments are required to pay particular attention to the timeliness of recording capital asset additions in MMARS. It was noted that some departments have recorded capital assets in the wrong fiscal year, causing a distortion of capital asset presentation and depreciation expenses in the state-wide CAFR financial statements. To address this issue, the Office of the Comptroller (CTR) instituted a semi-annual review of Capital Assets information in August and again at mid-fiscal year. All changes to assets must be entered in MMARS as of December 31 st and June 30 th, respectively. These capital asset inventory reviews require the chief fiscal officer sign-off on the accuracy and completeness of the data recorded in MMARS.
Information that is provided to CTR for receivables and other items to comply with GAAP is very important and should not be taken lightly by a department. If a department does not understand what is required in a GAAP package or for an accrual of revenues, it should request assistance from this Office. Departments need to understand this information to make informed decisions, which are then included as part of the audit. It is important to note estimates of uncollectibles for GAAP purposes may be different than statutory requirements to write-off bad debt. Note: the year-end accruals are subject to external audit, therefore departments should maintain proper documentation to support the rationale for each account.
Eligibility Determination for Most Grant Programs
Nearly every grant requires some form of eligibility to receive funds. For example, a student, receiving student financial aid must be enrolled at an institution of higher education and carry at least a minimum credit load. Credentialing criteria, income eligibility, or professional licensing may need to be established and verified for vendors or other recipients who receive grant awards. Human service case records must have full documentation in accordance with the grant. Departments must also substantiate this eligibility process. All eligibility determinations must be made in accordance with either a state plan filed with the Federal government, the grant award itself, or General Laws. Evidence must be readily available to prove eligibility.
Sub-recipient and Vendor Monitoring
Sub-recipient monitoring has again been identified as an issue. When departments grant federal funds to a sub-recipient, including another state agency, a municipality, or a non-profit (often referred to as "pass-through" funds), the department remains responsible for sufficient oversight of the funds (sub-recipient monitoring) to ensure that funds are spent in accordance with federal grant requirements. The same oversight responsibility applies regardless of the type of funds granted by a department, even if the funds are earmarked to another entity.
Vendors also need to be monitored for compliance with federal grants. In some cases, certification of payroll needs to occur for each week in which any grant funded work is performed and must be available for audit. Additional provisions of ARRA that apply to vendors are included on our website under the ARRA controls and compliance section. Information Technology System Issues and Data Security
Data systems must be protected, especially systems containing personally identifiable information and those that interface with the financial systems, MMARS and HR/CMS. Well-controlled systems use three levels of protection. First, departments should physically restrict access to the hardware/platform on which the systems run. Second, passwords to those systems must require regular changes by users. These passwords should be robust enough to afford a high level of security. Third, any migration of system code changes should be done by individuals who do not develop the new system code. Management should routinely log all system changes as the actions are taken. Software developer activity should be monitored for changes to code and batch jobs to assure that no changes occur without formal approval from business and technical managers.
Departments must monitor access to statewide systems (MMARS, HR/CMS, and CIW) on a regular basis to ensure that levels of access are appropriate and proper segregation of duties is in place. The enterprise security policy requires annual certification by the Department Head (by June 30) and Department Security Officers (by December 31).
Data in department managed systems should be backed up at least daily and a copy stored at an off-site location. Restoration processes should be tested at least annually to assure that data can be restored from backup media. Data security is everyone's business no matter what media or system is used. Departments need to assure that all new hires have the proper security (no more than that needed to complete their duties) and that they are monitored. Personnel who terminate service with the department should have security access and functions cancelled immediately. If you have any questions, please contact the helpdesk at (617) 973-2468.