MSCBA’s System of Internal Controls Needs Improvement.

We found problems with the system of internal controls MSCBA had established over its operations. Specifically, although MSCBA has documented, in its Summary of Internal Control Plan document, policies and procedures primarily related to its financial operations, it has not developed an internal control plan (ICP) that clearly summarizes all of the agency’s risks and the controls that will be used to mitigate them. Without an adequately documented system of internal controls, including a department-wide risk assessment, MSCBA management cannot measure, prioritize, and manage risks that are relevant to achieving its mission.

MSCBA officials told us that they relied on the independent audit firm that conducts MSCBA’s yearly audit to inform them of any weaknesses in the system of internal controls and that the firm had not pointed out any deficiencies that MSCBA needed to address in this area.

MSCBA should take the measures necessary to improve its system of internal controls, including performing an entity-wide risk assessment and then developing controls (i.e., policies and procedures) to mitigate identified risks; developing a business continuity plan; and annually testing its disaster recovery plan.

We agree with the draft audit report that . . . internal control can—and does—benefit from continuous improvement. . . . We reject the implication that the Authority has anything other than a vital and comprehensive internal control system and plan and processes consistent with best practices. We believe the draft audit report inaccurately describes the Authority’s system of internal controls and we take specific exception to several of the draft audit comments on this topic:

• The draft audit establishes the “authoritative guidance” to be Chapter 647 of the Acts of 1989, to which the Authority is not subject. This is misleading to the reader.
• The draft audit report’s recommendation inaccurately implies that the Authority does not have an internal control plan or business continuity plan, both of which were provided to the audit team. Further, the recommendation states the Authority does not . . . test its disaster recovery plan. The Authority made the audit team aware that, in March 2018, the Authority underwent a complete overhaul of all IT services, controls, and recovery plans and policies, including a disaster recovery plan and business continuity plan. Since March 2018, the Authority has been implementing the new IT recommendations incrementally. The Authority agrees with the draft audit that the disaster recovery plan should be tested annually. The Authority intends to test the plan prior to its first anniversary (March 2019) which is outside of the audit period.
• The Authority acknowledges that its internal control plan does not have a section that specifically identifies and summarizes risks. However, we maintain that the Authority’s plan is consistent with best practices and adequately addresses the risks facing the organization, including financial, project, administrative and technological risks, with multi-faceted control policies in place to prevent, detect, protect and mitigate such risks.

In addition to its written comments, MSCBA officials pointed out during a meeting with OSA that MSCBA had experienced several emergencies that required it to shut down its office, but was still able to continue to operate. According to the officials, this suggested that although the agency did not have a tested disaster recovery plan, it had demonstrated its ability to continue operating in emergencies.

Our report acknowledges that MSCBA has documented, in its Summary of Internal Control Plan, policies and procedures primarily related to its financial operations. However, these documented controls are limited to certain areas of MSCBA’s operations and do not constitute a comprehensive ICP. As noted above, an effective ICP would be based on an agency-wide risk assessment and would summarize all of the agency’s risks and the controls to be used to mitigate them. Simply documenting controls over certain activities is not consistent with best practices, which we describe in our report. Without an adequately documented system of internal controls, including a department-wide risk assessment, MSCBA management cannot measure, prioritize, and manage risks that are relevant to achieving its mission.

During our audit, MSCBA gave us a copy of its disaster recovery plan. However, MSCBA officials acknowledged to us that this plan had not been tested and that therefore its effectiveness had not been determined. Further, contrary to what it asserts, MSCBA did not give us a separate business continuity plan, but rather pointed us to a statement in its disaster recovery plan that in the case of a disaster, all employees would work remotely. However, this statement alone, in OSA’s opinion, does not constitute an effective business continuity plan, which would address things like staff responsibilities, business processes and procedures that should be followed, and the physical location of activities in the event of an unforeseen interruption in business.

Based on its response, MSCBA is taking some measures to address our concerns in this area, but we urge it to fully implement our recommendation.