Cannabis Control Commission - Finding 6

During our audit, we identified the significant deficiencies in CCC’s internal control system described below. Of the four controls we tested—commissioner approval of fines, reconciliation of revenue, and two supervisory reviews of licensing documents—only commissioner approval of fines was consistently documented and determined to be operating effectively. The remaining three controls were not operating as intended, as described below.

Supervisors did not consistently perform or review CCC’s monthly revenue reconciliations for the marijuana regulation fund (MRF), including fines. For seven of the eight months tested, CCC did not complete the required reconciliations, and there was no documentation showing that CCC’s chief financial and accounting officer reviewed them, as required.

CCC was unable to provide documentation demonstrating that supervisors completed required review procedures. Specifically, supervisors could not provide documentation of approvals of final application checklists and background checks. For all 25 of the licensing background checks tested, CCC could not provide evidence that licensing managers had reviewed and approved the background checks for owners and managers of the sampled licensees. Additionally, for all 25 of the final licensing application checklist controls tested, CCC was unable to produce records verifying that licensing managers had completed the final reviews prior to licensure.

CCC did not maintain a fully compliant internal control plan during the audit period. Although CCC had an internal control plan in place, our audit determined that it was not sufficiently aligned with established internal control standards, such as those set forth in the Committee of Sponsoring Organizations of the Treadway Commission framework and CTR’s internal control guidance, to effectively manage operational and regulatory risks.

High turnover among CCC’s executive leadership inhibited CCC’s capacity to maintain a stable organizational structure and preserve institutional knowledge. The reliance on interim replacements with overlapping responsibilities further strained internal operations, as individuals were required to manage multiple high-level roles simultaneously. Furthermore, the elimination of key leadership roles disrupted CCC’s organizational structure and reduced oversight capability.

After reviewing the internal control documentation provided by CCC for calendar years 2022, 2023, and 2024, we found no evidence that risks were analyzed or that control activities had been performed. Although general control activities were described, the related policies and procedures were not clearly cited, limiting the plan’s usefulness as a tool for assessing whether controls were both implemented and operating effectively. Moreover, several controls were marked as either partially or not implemented, indicating that CCC has not yet fully put its internal control framework into practice. These failures indicate that key controls were not functioning as intended and reinforce broader concerns regarding the design, implementation, and operating effectiveness of CCC’s internal control system.

This inadequate internal control environment and inadequate internal control plan contributed to several operational and financial risks, including:

• absence of control activities, which resulted in inconsistent practices, a lack of clearly documented procedures, and diminished organizational accountability;
• deficient oversight in licensing, HCA reviews, and management of the MRF, as evidenced by missing documentation of final approvals and unreconciled financial activity raising concerns about transparency, fairness, and regulatory reliability; and
• lack of a fully compliant internal control plan, which leaves CCC unprepared to address emerging risk posed by an unstable organizational structure. 

According to the Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk Management Framework, which is the basis of CTR’s Internal Control Guide, organizations must use 17 principles to create an internal control plan. These principles include the following, which are relevant to this audit:

• Principle 3 requires organizations to establish a clear structure of roles, authority, and responsibilities to maintain accountability and operational efficiency.
• Principle 4 requires organizations to recruit, develop, and retain qualified employees and provide training and professional development to sustain institutional knowledge and achieve objectives.
• Principle 6 requires organizations to define strategic goals and objectives to guide risk identification and management efforts.
• Principle 7 requires organizations to continuously identify and assess risks, including emerging risks and fraud risks, to maintain alignment with objectives.
• Principle 8 requires organizations to evaluate risks dynamically and update risk management strategies in response to evolving threats.
• Principle 9 requires organizations to respond to risks promptly through appropriate mitigation strategies, such as updating policies, reallocating resources, or strengthening controls.

Regarding the MRF, CCC did not maintain sufficient documentation of financial oversight activities, including reconciliations and review processes. CCC did not have documented policies or procedures to ensure that reconciliations were conducted on a regular basis.

Regarding HCAs, CCC did not consistently document critical controls, such as background check reviews and final checklist approvals.

Regarding CCC’s lack of a fully compliant internal control plan, CCC provided us two documents labeled as internal control plans; however, both closely resembled risk assessments and lacked risk analysis and control activities. Additionally, multiple controls were marked as either partially or not implemented.

Related to the control environment, CCC experienced high turnover of executive staff members, overly relied on interim roles, and eliminated key positions, which further compounded leadership instability and diluted accountability.

Related to risk assessment, CCC’s lack of ongoing documentation and updates to the risk assessment framework left CCC without a reliable mechanism to evaluate emerging risks, limiting its ability to adapt to changing conditions. 

1. CCC should ensure that controls around the review processes for both the MRF and HCAs operate effectively.
2. CCC should develop a fully compliant internal control plan and conduct a risk assessment annually.

CCC’s Recommendation 1 response was as follows:

The MRF is appropriated by the Legislature and further controlled by the Comptroller, not administered the CCC. The Agency transfers revenue collected by the Commission to the MRF, and the Agency only has visibility as to what is transferred from the Commission to the MRF. Other receipts into the MRF through other sources, include deposits of tax revenue from [the Massachusetts Department of Revenue] (see Section 5 of Chapter 64N [of the General Laws]). Prior to [fiscal year] 2025, monthly reconciliations were done to ensure all payments received by the Commission were transferred to the MRF, however, reconciliation with Licensing records did not occur during this period. As of [fiscal year] 2025 the Finance Department began receiving automated reports of payments entered into MassCIP and [Medical Use of Marijuana Program Online System]. These reports are now being reconciled to bank deposits as well as entries transferring funds to the MRF. Reconciliations are prepared monthly for Supervisor review and sign-off.

HCA review process is explained in [executive director] response to FINDING 3.

CCC’s Recommendation 2 response was as follows:

With limited and time-constrained available funding at the end of [fiscal year] 2025 the Commission engaged [Clifton Larson Allen] to perform a pre-[System and Organization Control] audit review. The new Executive Director will utilize the outcome of this engagement and the expertise of the [Chief Technology and Innovation Officer] and [Chief Financial and Accounting Officer] to ensure all internal control plans are updated in line with Comptroller recommendations and other best practices, no later than the end of Calendar Year 2025.

1. CCC stated in its response that prior to fiscal year 2025, reconciliations were made to ensure that all payments received by CCC were transferred to the MRF. While performing our audit work, we determined that, although these reconciliations were occurring, they were not always occurring monthly and reliably. Additionally, CCC stated that there was no reconciliation performed between payments received (which ultimately transfer to the MRF) and licensing records, but that reconciliations are now prepared monthly and reviewed and signed off by a supervisor. As part of our post-audit review process, we will follow up on this matter in approximately six months.
2. CCC stated that it will update all internal control plans in line with CTR’s recommendations and other best practices no later than the end of this year. As part of our post-audit review process, we will follow up on this matter in approximately six months.