DHE’s Latest Internal Control Plan is Not Fully Compliant with OSC’s Internal Control Guide.

As of our audit period, DHE had not developed an internal control plan (ICP) in accordance with the latest OSC guidelines (issued in 2015). DHE’s ICP had not been updated since 2010 and did not consider, or adequately identify, any of the eight components of enterprise risk management (ERM): internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.

Furthermore, DHE had not conducted an annual organization-wide risk assessment that identified potential risks concerning its financial, operational, and compliance activities or the risk of fraud. Developing a risk assessment is important because it enables management to focus its attention on the most important entity risks and to manage risks within defined tolerance thresholds.

Without an adequately documented system of internal controls, DHE risks not meeting all of its operational objectives economically and efficiently or complying with state laws, regulations, and other authoritative guidance as well as grants and other contractual agreements.

The OSC Internal Control Guide issued in June 2015 states,

Departments are obligated to revise their ICPs whenever significant changes occur in objectives, risks, management structure, program scope, etc. At the very least, the ICP must be reviewed and updated annually. . . .

Internal control is defined as a process effected by an entity’s oversight body, . . . management, and other personnel that provides reasonable assurance the department’s objectives will be achieved. Before developing its . . . ICP, a department must determine its mission, strategic goals and objectives, and then formulate a plan to achieve those objectives. The internal control plan is a summary describing how a department expects to meet its various goals and objectives by using mitigating controls to minimize risk. Each department’s internal control plan will be unique; however, it must be based on the ERM framework.

In its document Enterprise Risk Management—Integrated Framework, or COSO II, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as follows:

A process, effected by the entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage the risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

To comply with the OSC Internal Control Guide, an ICP must contain information on the eight components of ERM: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. COSO guidance states that all components of an internal control system must be present and functioning properly and operating together in an integrated manner to be effective.

Finally, OSC’s Internal Control Guide requires that ICPs incorporate a risk assessment that includes the likelihood and impact of risks.

DHE’s management told us that a lack of adequate administrative resources made it extremely challenging to thoroughly assess its control activities and update its ICP annually and that DHE has had an agency-wide decrease in full-time-equivalent positions, from approximately 79 in fiscal year 2015 to 59 at the end of fiscal year 2017.

DHE should develop a complete and updated ICP based on a current department-wide risk assessment that includes all aspects of its business activities.

The Department substantially agrees with this finding. To address this deficiency, the Department consulted with the Office of the Comptroller’s Quality Assurance Unit and requested guidance on updating its internal control plan in accordance with the COSO’s Enterprise Risk Management framework. The Department conducted two executive level trainings on the ERM framework and ICP development, and all members of the Department’s senior management team were engaged in a comprehensive process of goal setting, event identification, risk assessment and risk responses. The current version of the Department’s Internal Control Plan has been updated to reflect the Comptroller’s guidance on format and structure, and the Department’s leadership has committed to a continuous improvement process for updating the plan as priorities evolve and risks change.

The actions taken by DHE to address compliance with OSC’s Internal Control Guide should provide DHE with an adequately documented ICP that incorporates a department-wide risk assessment for all aspects of the agency’s business activities.