SDE’s Internal Control Plan Had Not Been Updated As Required and Lacked Critical Components of Internal Control.

SDE did not develop an internal control plan (ICP), an agency-wide document that summarized risks and controls for all of its business processes, in accordance with state guidelines. Without an adequately documented system of internal controls, including a department-wide risk assessment, SDE’s management could not measure, prioritize, and manage the relevant risks to achieving SDE’s mission.

Specifically, SDE did not complete annual updates to its ICP, ensure that its ICP contained a department-wide risk assessment that included the risk of fraud, or consider all components of enterprise risk management (ERM) as required by the Office of the State Comptroller (OSC). SDE personnel stated that the ICP was updated in December 2016 in anticipation of the new Sheriff; however, before then, the ICP had not been updated for several years. In addition, the current SDE ICP primarily addresses financial activity, not the agency’s mission or goals.

OSC’s June 2015 Internal Control Guide stresses the importance of internal controls and the need for departments to develop ICPs based on their missions and goals. To comply with OSC’s internal control guidelines, an ICP must contain information on the eight components of ERM set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in its document Enterprise Risk Management—Integrated Framework, or COSO II. The eight components are internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. COSO guidance states that all components of an internal control system must be present, functioning properly, and operating together in an integrated manner in order to be effective. In addition, OSC’s Internal Control Guide requires ICPs to contain a risk assessment that includes the risk of fraud.

SDE did not have any internal controls or policies regarding timely completion of a complete ICP.

The employee responsible for completing the ICP stated that, under the previous administration, he did not receive proper training on completing a compliant ICP. He also stated that the prior SDE administration did not make completing all aspects of the ICP properly a priority.

1. SDE should request training from OSC on how to properly complete an ICP.
2. SDE should develop and implement a policy requiring that its ICP be updated annually based on a current department-wide risk assessment and address all components of ERM.

The Coppinger administration has begun updating and creating new policies that provide definitive guidance of past practices that this audit has deemed to be departmental exposures. SDE has hired a new Chief Financial Officer with prior state experience at the Executive Office for Administration and Finance and the Office of the Comptroller, who has been tasked with creating a new Internal Control Plan from the ground up. SDE’s intention is to compile a thorough and robust ICP that encompasses input from all disparate business areas within the department, to identify and prioritize risk within the organization, not just from a fiscal perspective, but to include all operational exposures. SDE anticipates being fully compliant by the end of calendar year 2018. SDE will continue to submit annually the Comptroller’s Internal Control Questionnaire (ICQ).

Based on its response, SDE is taking measures to ensure that it properly completes an ICP, but it should also develop and implement a policy requiring that the ICP be updated annually, in addition to submitting the Internal Control Questionnaire annually.