To: Legislative Leadership, Judicial Branch Administrators, Elected Officials, Secretariats, Department Heads, Chief Fiscal Officers and Single Audit Liaisons
From: Martin J. Benison, Comptroller
Date: April 10, 2013
Re: Areas of Audit Issues from the 2012 Single Audit – Preparation for 2013
Comptroller Memo FY#2013-20
The Commonwealth’s FY2012 Single Audit has been completed. This year we have noted fewer recurring themes to the findings prepared by KPMG LLP, the independent audit firm. These are described below to allow departments to consider whether changes are needed in preparation for the FY2013 Single Audit, which will be starting soon.
Timeliness of the Closing Process
Especially noteworthy this year is the positive impact of having the final supplemental budget approved on August 7, 2012. This was instrumental in accelerating the Commonwealth timeline to meet deadlines for required deliverables to KPMG for review of the Statutory Basis Financial Report (SBFR) and audit of the Comprehensive Annual Report (CAFR). It also led to a much earlier completion of the Single Audit, clearing a finding from the prior year.
Time Sheet Approval
Also of note in 2012 was the lack of time sheet approval findings in the departments that transitioned to HR/CMS Self-Service Time and Attendance (SSTA) - while there were some occurrences in departments that had not yet transitioned
The auditors reported the following issues as part of the FY2012 Single Audit. Some resulted in findings and others in management letter comments. The topics below are not specific to any one finding or department. The complete audit results can be found at http://www.mass.gov/osc/publications-and-reports/financial-reports/single-audits.html.
Allowable Costs/ Cost Principals
There are still incidents concerning Federal Financial Participation claim reimbursements, as well as support for administrative costs and cost allocation plans.
For departments that create, or are part of, a cost allocation plan, federal law requires that their plans be filed on a regular schedule in accordance with the law or grant agreement. These plansmust first be approved by the Comptroller’s Federal Grant and Cost Allocation Bureau prior to filing with the Federal Government. Documentation that supports these plans, such as random moment time studies and proper individuals/elements being included in allocable costs, must be maintained and reviewed for the impact of organizational changes or their validity. If other agencies are to be charged under the plan, those agencies must be charged timely. For example, termination leave costs are not included in these plans, in accordance with existing policy.
Many grants contain provisions that require a level of effort to be maintained. Time allocated to different grants must be recorded on time sheets and authorized by a supervisor. The absence of a supervisor's approval does not provide the assurance that payroll expenditures are accurate and valid and that the grant program is being properly charged for actual time worked on a program. You may want to consider new functionality for direct employee recording of labor distribution that has been rolled out as part of SSTA.
Federal Reporting – The Federal Funding Accountability and Transparency Act (FFATA)
All grant programs have reporting requirements, both financial and non-financial, that are specific to the grant. FFATA reporting is applicable to all grants over $25,000 and requires prime recipients and contractors to register in the FFATA Sub-award Reporting System (FSRS). Federal financial information must reconcile to MMARS. Source documentation, query methodology, policies, and procedures need to be readily available to personnel responsible for filing the reports so they can be timely and accurate.
Internal Control Accountability
Both Commonwealth and Federal laws require that departments develop and use internal controls to provide reasonable assurance of reliable reports, effective and efficient operations, mitigation of risks and compliance with laws and regulations. To fulfill this requirement, departments must ensure that all department business is appropriately authorized and that this authorization is documented. For example, authorized personnel must review and approve invoices before they are paid to ensure that costs charged to federal grants or programs are appropriate.
Capital Asset Additions
The recording and capitalization of fixed assets continues to improve, but further improvement is needed in compliance with construction in progress (CIP) and the use of retainage related to capital projects. Departments are required to pay particular attention to the timeliness of recording capital asset additions in MMARS. It was noted that some departments have recorded capital assets in the wrong fiscal year, causing a distortion of capital asset presentation and depreciation expenses in the statewide CAFR financial statements. The Office of the Comptroller (CTR) continues its semi-annual review of Capital Assets information in August and February. Please assure that all changes to assets are entered in MMARS as of December 31st and June 30th respectively. These capital asset inventory reviews require the chief fiscal officer to sign-off on the accuracy and completeness of the data recorded in MMARS.
Eligibility Determination for Most Grant Programs
Nearly every grant requires some form of eligibility to receive funds. For example, credentialing criteria, income eligibility or professional licensing may need to be established and verified for vendors or other recipients who receive grant awards. Human service case records must have full documentation in accordance with the grant. Departments must also substantiate this eligibility process. All eligibility determinations must be made in accordance with either a state plan filed with the Federal government, the grant award itself, or General Laws. Evidence must be readily available to prove eligibility.
Sub-recipient monitoring continues to be an issue. When departments are granting federal funds to a sub-recipient, including another state agency, a municipality, or a non-profit (often referred to as "pass-through" funds), the department remains responsible for sufficient oversight of the funds (sub-recipient monitoring) to ensure that the funds are spent in accordance with federal grant requirements. The same oversight responsibility applies regardless of the type of funds granted by a department, even if the funds are earmarked to another entity.
Information Technology System Issues and Data Security
Data systems must be protected, especially systems containing personally identifiable information and those that interface with the financial systems, MMARS and HR/CMS. The single audit continues to reveal instances of passwords that are not complex, logical access that is too broad and a lack of segregation of duties in change management controls.
Departments must monitor access to statewide systems (MMARS, HR/CMS, and CIW) on a regular basis to ensure that levels of access are appropriate and proper segregation of duties is in place. The enterprise security policy requires annual certification by the Department Head (by June 30th) and Department Security Officers (by December 31st).
Internal Control Officers