Other Matters: DPL Should Ensure That It Has a Compliant Internal Control Plan.

In performing our audit work, we found that DPL’s internal control plan (ICP) did not meet all of the requirements of the Office of the Comptroller of the Commonwealth (CTR). In its document Enterprise Risk Management—Integrated Framework, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines enterprise risk management (ERM) as follows:

A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

To comply with CTR internal control guidelines, an ICP must contain information on the eight components of ERM: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. COSO guidance states that to be effective, all components of an internal control system must be present, be functioning properly, and be operating together in an integrated manner. In addition, CTR’s Internal Control Guide requires that an ICP be updated as often as changes in management, risk level, program scope, and other conditions warrant, but at least annually.

DPL did not have an ICP for fiscal years 2018 and 2019. Further, its ICP for fiscal year 2020 was deficient: it did not address two of the required eight components, risk assessment and risk response. The lack of a compliant ICP impedes DPL from identifying vulnerabilities that could prevent it from achieving organizational goals and objectives and exposes it to heightened risks in its operations.

In OSA’s opinion, DPL should ensure that it has a compliant ICP and should update its ICP whenever significant changes occur in objectives, risks, management structure, or program scope.

DPL has updated its Internal Control Plan (“ICP”) for each of the last two fiscal years. However, to further strengthen its ICP and ensure that the plan is consistent with all requirements of the Comptroller’s Guide to Internal Controls and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, DPL has formed a standing Internal Control Board (“ICB”). The ICB, which consists of key DPL management staff and members of the Agency’s Performance Management team, meets weekly and is currently reviewing the State Auditor’s recommendations. The DPL ICB plans to issue an updated ICP for FY2022 that addresses all eight components of the Enterprise Risk Management approach, including risk assessment and risk response.

The draft audit report correctly notes that DPL primarily uses two software programs to track license applications and renewals and maintain CORI and SORI check information: DPL’s 29 boards use the Accela software suite, and OPSI primarily uses a software application called MyLicense Office (MLO). The draft audit report states that your office was “not able to determine whether DPL conducted CORI or SORI checks for all license applicants because the data in Accela and MLO were incomplete and inaccurate.” . . .

We do acknowledge that neither the Accela nor the MLO licensing databases consistently record that a CORI was run on an applicant. CORIs are requested and reviewed manually, without an interface that automatically updates the databases when a CORI is run. As noted in the draft report, in some instances, a DPL user noted in the database that a CORI check was completed. But more often that information has not been entered into the database. While DPL is confident that CORI checks were completed for all applicants during the audit period, we also recognize that our licensing systems should capture the completed process. Therefore, going forward the licensing databases will be updated manually to indicate that a CORI was run.