To: Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, Department Heads,
Chief Fiscal Officers and Single Audit Liaisons
From: Martin J. Benison, Comptroller
Date: April 10, 2012
Re: Areas of Audit Issues from 2011 – Preparation for 2012
Comptroller Memo FY#2012-20
The Commonwealth’s FY2011 Statewide Single Audit has been completed. We have noted several recurring themes to the findings prepared by the Office of the State Auditor and KPMG LLP, the independent audit firm. These are described below to allow departments to consider whether changes are needed in preparation for the FY2012 Single Audit, which will be starting soon.
The auditors noted the following issues as part of the FY2011 Statewide Single Audit. Some resulted in findings and others in management letter comments. The topics below are not specific to any one finding or department. The complete audit results can be found at http://www.mass.gov/osc/publications-and-reports/financial-reports/single-audits.html.
In recognition of the American Recovery and Reinvestment Act (ARRA) funds being received by the Commonwealth, it is especially important that departments resolve all audit findings and comply with all policies and procedures. The United States General Accountability Office (GAO) will be checking for many of these issues. Please see the Comptroller of the Commonwealth’s home page for additional guidance on ARRA processes and procedures.
Internal Control Accountability
Both Commonwealth and Federal laws require that departments develop and use internal controls to provide reasonable assurance of reliable reports, effective and efficient operations, mitigation of risks and compliance with laws and regulations. To fulfill this requirement, departments must ensure that all department business is appropriately authorized and that this authorization is documented. For example, authorized personnel must review and approve invoices before they are paid to ensure that costs charged to federal grants or programs are appropriate.
Cost Allocation/Time Sheet Approval
Important note on the new Self-Service Time and Attendance application being rolled out to HR/CMS users this year:All departments that will be transitioning to Self-Service Time and Attendance should begin to update their internal policies and procedures to reflect the business process changes that this new application will necessitate.
For departments that create, or are part of, a cost allocation plan, federal law requires that their plans be filed on a regular schedule in accordance with the law or grant agreement. These plans must first be approved by CTR prior to filing with the Federal Government. Documentation that supports these plans, such as random moment time studies and proper individuals / elements being included in allocable costs, must be maintained and reviewed for the impact of organizational changes or their validity. If other agencies are to be charged under the plan, those agencies must be charged timely. For example, termination leave costs are not included in these plans, in accordance with existing policy.
Maintenance of Effort
Many grants contain provisions that require a level of effort to be maintained. This is proven by time sheets, program information or other goals being achieved. Time sheets must be approved by a supervisor.
The absence of a supervisor's approval does not provide the assurance that payroll expenditures are accurate and valid and that the grant program is being properly charged for actual time worked on a program.
The ARRA best practices group has posted to our website a suggested format for tracking payroll expenditures by program that is acceptable to demonstrate maintenance of effort.
All grant programs have reporting requirements, both financial and non-financial, that are specific to the grant. Financial information must reconcile to MMARS. Source documentation, query methodology, policies, and procedures need to be readily available to personnel responsible for filing the reports so they can be timely and accurate.
Capital Asset Additions
Capitalization of fixed assets continues to be an issue. Departments are required to pay particular attention to the timeliness of recording capital asset additions in MMARS. It was noted that some departments have recorded capital assets in the wrong fiscal year, causing a distortion of capital asset presentation and depreciation expenses in the statewide CAFR financial statements. To address this issue, the Office of the Comptroller (CTR) instituted a semi-annual review of Capital Assets information in August and again at mid-fiscal year. All changes to assets must be entered in MMARS as of December 31st and June 30th respectively. These capital asset inventory reviews require the chief fiscal officer sign-off on the accuracy and completeness of the data recorded in MMARS.
Eligibility Determination for Most Grant Programs
Nearly every grant requires some form of eligibility to receive funds. For example, a student, receiving student financial aid must be enrolled at an institution of higher education and carry at least a minimum credit load. Credentialing criteria, income eligibility or professional licensing may need to be established and verified for vendors or other recipients who receive grant awards. Human service case records must have full documentation in accordance with the grant. Departments must also substantiate this eligibility process. All eligibility determinations must be made in accordance with either a state plan filed with the Federal government, the grant award itself, or General Laws. Evidence must be readily available to prove eligibility.
Information Technology System Issues and Data Security
Data systems must be protected, especially systems containing personally identifiable information and those that interface with the financial systems, MMARS and HR/CMS. Well-controlled systems use three levels of protection. First, departments should physically restrict access to the hardware/platform on which the systems run. Second, passwords to those systems must require regular changes by users. These passwords should be robust enough to afford a high level of security. Third, any migration of system code changes should be done by individuals who do not develop the new system code. Management should routinely log all system changes as the actions are taken. Software developer activity should be monitored for changes to code and batch jobs to assure that no changes occur without formal approval from business and technical managers.
Departments must monitor access to statewide systems (MMARS, HR/CMS, and CIW) on a regular basis to ensure that levels of access are appropriate and proper segregation of duties is in place. The enterprise security policy requires annual certification by the Department Head (by June 30) and Department Security Officers (by December 31).
Data in department managed systems should be backed up at least daily and a copy stored at an off-site location. Restoration processes should be tested at least annually to assure that data can be restored from backup media. Data security is everyone’s business no matter what media or system is used. Departments need to assure that all new hires have the proper security (no more than that needed to complete their duties) and that they are monitored. Personnel who terminate service with the department should have security access and functions cancelled immediately. If you have any questions, please contact the helpdesk at (617) 973-2468.
cc: MMARS Liaisons, Payroll Directors, General Counsels, Internal Control Officers, Internal Distribution