DALA Does Not Have a Compliant Internal Control Plan.

DALA lacked an internal control plan that complied with guidelines issued by the state Comptroller, including controls for assessing agency risks for activities related to payroll, contracts, purchases, and inventory.

Table of Contents


In our prior audit, we determined that DALA had not developed an internal control plan (ICP) during the audit period. Instead, it had developed an Internal Control Procedures document that included objectives, activities, and responsibilities for activities including payroll, contracts, purchases, cash receipts, and inventory.

In our current audit, we found that DALA had created an ICP in fiscal year 2017 and updated it in fiscal year 2019, but in both years, the ICP did not comply with CTR guidelines. Two of the required components—internal environment and risk response—were not addressed. Moreover, DALA did not create new ICPs or update existing ones in fiscal years 2018 and 2020.

The lack of a compliant ICP impedes DALA from identifying vulnerabilities that could prevent it from achieving organizational goals and objectives and expose it to heightened risks in its operations. Not reviewing and updating its ICP as conditions warrant (but at least annually) hampers agency response to changes in its control environment.

Authoritative Guidance

CTR’s 2015 Internal Control Guide states,

Internal Control Plans are based on comprehensive assessments of risks, especially those related to the prevention of fraud, waste and abuse. An effective ICP requires the involvement of everyone in an organization. . . . Accordingly, departments are obligated to revise their ICPs whenever significant changes occur in objectives, risks, management structure, program scope, etc. At the very least, the ICP must be reviewed and updated annually.

To be considered compliant, a department’s Internal Control Plan must contain the [following] components: Internal Environment [and] Risk Response.

Reasons for Issues

According to the chief administrative magistrate, a lack of available time and personnel caused the agency to prioritize the case backlog and the maintaining of operations over developing a compliant ICP.


  1. The chief administrative magistrate should prioritize the completion of a compliant ICP by properly documenting the internal environment and a risk response that includes all aspects of DALA’s business operations.
  2. After completing the ICP, DALA should review and update it whenever significant changes occur in objectives, risks, management structure, or program scope, but at least annually.

Auditee’s Response

DALA seeks to meet all its reporting requirements in a timely manner and we are addressing the inadequacies of our Internal Control Plan (ICP). We completed the 2018 ICP on January 23, 2019. The 2020 ICP was completed on December 29, 2020. It incorporates some of the changes to the Risk Assessment suggested by [Office of the State Auditor, or OSA] staff during the audit and we will address the remaining issues and those in the Internal Environment Component in future ICPs.

Auditor’s Reply

Based on its response, DALA is taking measures to address our concerns on this matter.

Date published: April 7, 2021

Help Us Improve Mass.gov with your feedback