MGCC’s System of Internal Controls Needed Improvement

We found problems with the system of internal controls MGCC had established over its operations. Specifically, although MGCC had a risk management plan that documented the results of its risk assessment, the plan had not been updated since June 2015. Further, MGCC had not considered any additional risks or the internal controls that should be used to mitigate them since June 2015. Without an updated and adequately documented system of internal controls, including an entity-wide risk assessment, MGCC management cannot measure, prioritize, and manage risks that are relevant to achieving its mission.

In addition, MGCC has not developed a business continuity plan or tested its disaster recovery plan. This may cause its critical operations to be disrupted if a loss of data or systems occurs.

MGCC’s risk management plan, which documents the results of the organization’s risk assessment, indicates that “the Plan will be reviewed and updated at least annually.”

In addition, the Executive Office of Technology Services and Security’s “Enterprise Information Security Policy,” dated January 10, 2017, requires agencies to do the following:

Protect mission-critical information assets, processes and facilities from the effects of major failures or disasters by developing and implementing a business continuity strategy that is consistent with organizational objectives and priorities. Back up critical data, such as confidential information, and strive to prevent disasters and implement timely recovery from disasters as well as continue critical organizational functions during a disaster or major disruption while maintaining the confidentiality of classified information.

Although MGCC is not specifically required to follow this policy, it represents a best practice that should be followed by all Commonwealth governmental agencies, as well as quasi-public agencies such as MGCC.

According to MGCC senior management, the organization’s risk profile has not changed significantly since the initial risk assessment was completed, and therefore MGCC has not needed to update the plan. MGCC management said that the agency relied on an external service provider for all of its information technology services and was satisfied that the service provider’s procedures for backups and system restoration were appropriate and adequate. However, during our conversation with this service provider, we found that these procedures did not include business continuity and disaster recovery plans.

1. MGCC should perform an annual entity-wide risk assessment and then develop and document controls (i.e., policies and procedures) to mitigate identified risks.
2. MGCC should develop a business continuity plan and annually test its disaster recovery plan.

We feel that the critical internal controls of accounting and cash management, loan risk and grant management are well documented, strong and independently audited with no exceptions or findings. We agree that the risk management plan needs to be reviewed annually and a disaster recovery plan needs to be established.

To this end we are formalizing a disaster recovery plan, which will be presented to our Board for ratification. The risk management plan will be reviewed and updated this summer. Both of these will be added to our compliance duties which get reported quarterly to our Audit Committee and subsequently to the Board.

We believe the actions outlined by MGCC management to address our concerns regarding the risk management and disaster recovery plans will strengthen the agency’s internal controls.