State Ethics Commission - Finding 1

The State Ethics Commission (SEC) should update its internal control plan (ICP) annually, as required by the Office of the Comptroller of the Commonwealth’s (CTR’s) Internal Control Guide. There were no updates to SEC’s ICP during the audit period, with the previous documented update on April 9, 2020, and the current update on November 21, 2024, indicating a gap of four years without revisions. In addition to its ICP not being updated annually, SEC should provide evidence of annual review of several other SEC policies and procedures during the audit period. Specifically, we found the following issues:

• The “Enforcement Division Investigations Manual”⁶ was last updated in 2018.
• The “Enforcement Procedures”⁷ were last updated in 2016.
• The “Legal Division Attorney of the Day (AOD) Protocol”⁸ was revised January 2, 2019.
• The “Receptionist Manual”⁹ was last updated on February 18, 2020.
• The “Policy on the Use of Information Technology Resources” was revised on June 22, 2016.

Furthermore, SEC should have written policies and procedures governing the administration of SFI filings and advisory opinions.

If SEC does not annually review, and update as needed, its ICP and other policies and procedures, then SEC staff members may not have clear guidance, leading to inconsistent practices, inefficiencies, and a higher risk of noncompliance with laws and regulations. A lack of written policies and procedures can also hinder staff member training, accountability, and continuity of operations for managing Statement of Financial Interests (SFI) filings and advisory opinions.

According to Chapter 647 of the Acts of 1989,

Internal control systems for the various state agencies and departments of the commonwealth shall be developed in accordance with internal control guidelines established by the office of the comptroller. . . .

Documentation of the agency’s internal control systems should include (1) internal control procedures, (2) internal control accountability systems and (3), identification of the operating cycles. Documentation of the agency’s internal control systems should appear in management directives, administrative policy, and accounting policies, procedures and manuals. . . .

Within each agency there shall be an official, equivalent in title or rank to an assistant or deputy to the department head, whose responsibility, in addition to his regularly assigned duties, shall be to ensure that the agency has written documentation of its internal accounting and administrative control system on file. Said official shall, annually, or more often as conditions warrant, evaluate the effectiveness of the agency’s internal control system and establish and implement changes necessary to ensure the continued integrity of the system.

According to CTR’s “Internal Controls Policy,”

A department must have a system of written internal controls that includes all department operations. A system of internal controls includes risk assessments, an Internal Control Plan (ICP), policies, procedures, and other operational controls. . . . At a minimum, a department’s system of internal controls must be reviewed and updated annually.

According to CTR’s Internal Control Guide,

Management should periodically review policies, procedures, and related control activities for continued relevance and effectiveness in achieving the department’s objectives or addressing related risks. If there is a significant change in a process, management should review the process in a timely manner after the change to confirm that the control activities are designed and implemented appropriately. Changes may occur in personnel, operational processes, or information technology. Regulators and legislators may also change either an entity’s objectives or how an entity is to achieve an objective.

According to SEC officials, SEC consistently uses its policies and procedures during its daily operations. They also stated that the policies and procedures provided were up-to-date, and no revision was needed. 

SEC should establish and implement a formal process to review and update its ICP and policies and procedures. This process should include documenting the performance of an annual review, as required byCTR’s Internal Control Guide and state law. 

The SEC agrees with the finding that it did not update its internal control plan (ICP) annually. However, during the audit period, the SEC had a robust ICP in place that had been carefully reviewed and provided to all staff. In 2019, the SEC drafted an updated ICP with extensive revisions. The Comptroller’s Statewide Risk Management (CTR) team reviewed the draft ICP in November 2019 and provided feedback that was incorporated into the draft ICP. The ICP was approved by the Commission at its meeting on April 9, 2020. Shortly thereafter, the SEC amended its ICP on June 26, 2020 to add internal control measures for the Covid-19 pandemic.

. . . A copy of the ICP with the Covid-19 amendment was sent to the State Auditor’s Office (SAO) on February 14, 2025. . . .

The Executive Director sent a copy of the ICP to all staff. The SEC subsequently adopted pandemic-related office policies to ensure the safety of its staff. The only significant operational change during the audit period was the adoption of a hybrid work schedule for certain employees. Controls for telecommuting were included in the Telecommuting Policy and Program adopted by the Commission at its September 8, 2022 meeting. The ICP was revised in 2024, reviewed by the CTR team, and approved by the Commission at its November 21, 2024 meeting.

Thus, during the audit period, the SEC had a strong ICP that had been carefully reviewed and provided to all staff. In addition, the SEC’s written policies and procedures cited in the draft audit report provided clear guidance and were regularly relied upon by staff. The lack of annual updates to the ICP during the audit period or an annual review of these effective policies and procedures in no way hindered the staff from continuing to provide the highest quality of service to the public and effectively manage SFI filings, advisory opinions and investigation of complaints as evidenced by the significant fact that no findings were made regarding the audit objectives. The SEC will put a process in place to ensure its ICP is reviewed annually and updated as needed and will review the cited policies and procedures and update or prepare them as appropriate.

Finally, in the “Recommendation” section for this finding, the draft audit report implies that a formal process to review and update its policies and procedures, such as the Enforcement Division Investigations Manual or Legal Division Attorney of the Day (AOD) Protocol, is required by “State regulation and law” to be done annually. No State law or regulation was cited in the draft report to support this requirement and the SEC is aware of none. In addition, the requirement that the ICP be reviewed and updated annually is contained in Comptroller guidance and not in a regulation.

We received SEC’s ICP, titled “Commonwealth of Massachusetts State Ethics Commission Internal Control Plan Updated April 9, 2020,” which includes the COVID-19 amendment, dated June 26, 2020. SEC stated that it has maintained an ICP and made revisions before the audit period. CTR’s Internal Control Guide and Chapter 647 of the Acts of 1989 establish minimum standards for internal controls. Under these guidelines, all state agencies are required to review and update their ICPs, along with their policies and procedures, on an annual basis to ensure alignment with current operations, risks, and organizational changes.

Based on its response, it appears that SEC is taking steps to address these concerns. We intend to follow up on this matter during our post-audit review in approximately six months.