Massachusetts State College Building Authority - Finding 3

In our previous audit (Audit No. 2018-0209-3A), we found that MSCBA had not developed a comprehensive internal control plan (ICP) that identified all agency risks and related controls. While some policies and procedures were documented, they primarily addressed financial operations and therefore did not constitute a comprehensive ICP.

In the current audit, we again identified deficiencies in MSCBA’s ICP. Specifically, the ICP was not based on an agency-wide risk assessment, which is a critical element for identifying and addressing potential risks across all aspects of MSCBA’s business operations. Similarly to what we found in our prior audit, the ICP remained focused primarily on financial and accounting functions. Additionally, MSCBA’s ICP did not incorporate all critical components of enterprise risk management as outlined by the Office of the Comptroller of the Commonwealth’s (CTR) Internal Control Guide.

Without a sufficiently developed ICP based on an agency-wide risk assessment, MSCBA is limited in its ability to identify vulnerabilities, which could prevent it from achieving organizational goals.

There are no specific legal or regulatory requirements related to MSCBA’s internal control system; however, according to Chapter 647 of the Acts of 1989, state agencies are required to develop and clearly document internal control systems in accordance with guidelines established by CTR. These guidelines require an ICP to be based on a risk assessment and revised annually. Although MSCBA is not required to follow these standards, since it is not a Commonwealth agency within the executive branch and is instead categorized as a quasi-governmental agency, we consider them best practices.

CTR’s Internal Control Guide states,

Your department is obligated to review and update your Internal Control Plan on an annual basis, as well as whenever there is a new objective, risk, or management structure. . . .

An internal control plan should have a statement of awareness and compliance with [the General Laws] Chapter 647 guidelines in addition to the [Committee of Sponsoring Organizations’] eight [enterprise risk management framework] components.

MSCBA has not developed policies and procedures to ensure that it creates and annually reviews a comprehensive ICP that addresses all of MSCBA’s operations. According to MSCBA officials, although MSCBA staff members independently monitor various documents related to internal controls, MSCBA does not have the staff capacity to consolidate these efforts into a centralized ICP.

1. MSCBA should develop an ICP based on a current agency-wide risk assessment that includes all aspects of its business activities. MSCBA should ensure that its ICP includes all the critical components of enterprise risk management.
2. After completing its ICP, MSCBA should ensure that the ICP is communicated to all employees, used within its operations, and reviewed and updated at least annually.

The Authority has written policies and procedures for specific operations, and finance and accounting internal controls are reviewed annually both internally and by the Authority’s external audit firm. Although these documents do not take the form of a singular document or plan, they collectively direct and guide day-to-day internal operations of the Authority. The Authority will review its internal controls documents, as well as suggested guidance from CTR and other authorities, consistent with the Committee of Sponsoring Organizations (COSO) framework to further develop a single comprehensive plan for all the critical components of enterprise risk management.

Based on its response, MSCBA is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.