• This page, The BCDA’s Internal Control Plan Does Not Comply With the Comptroller of the Commonwealth’s Internal Control Guide, is   offered by
  • Office of the State Auditor

The BCDA’s Internal Control Plan Does Not Comply With the Comptroller of the Commonwealth’s Internal Control Guide

The audit found the BCDA’s internal control plan (ICP), an agency-wide document that summarizes risks and controls for all business processes, has not been updated since 2016.

Table of Contents

Overview

The Berkshire County District Attorney’s Office’s (BCDA’s) internal control plan (ICP), an agency-wide document that summarizes risks and controls for all of its business processes, is not updated annually; it was last updated in June 2016. In addition, the ICP does not consider, or adequately address, four critical components of enterprise risk management (ERM): internal environment, objective setting, event identification, and control activities. Without a complete, up-to-date, and adequately documented system of internal controls, BCDA risks not meeting all of its operational objectives economically and efficiently or complying with state laws, regulations, other authoritative guidance, grants, and other contractual agreements.

Our analysis of BCDA’s most recent ICP noted that the ICP does not do the following:

  • contain a tone-at-the-top statement (internal environment)
  • contain a department head’s statement of support (internal environment)
  • define goals and objectives that are aligned with the agency’s mission statement (objective setting)
  • identify risks that may prevent the agency from achieving these goals and objectives (event identification)
  • identify controls used to mitigate these risks (control activities)

Authoritative Guidance

In its document Enterprise Risk Management—Integrated Framework, the Committee of Sponsoring Organizations of the Treadway Commission4 defines ERM as follows:

A process, effected by the entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives.

To comply with the ICP checklist in the Comptroller of the Commonwealth’s (CTR’s) Internal Control Guide, an ICP must contain information on the eight components of ERM: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring (see Appendix B). Specifically, Section B of the ICP checklist requires the following:

1. Internal Environment...
a.   Tone at the Top...
b.   Department Head statement of support of the Internal Control Plan...

2. Objective Setting...
a.   Goals and Objectives are defined, and aligned to the Mission Statement

3. Event Identification...
a.   Have risks that may impede the achievement of each objective been identified?...

6. Control Activities—mitigation steps that are linked to risk events

Additionally, CTR’s Internal Control Guide states, “At the very least, the ICP must be reviewed and updated annually.”

Reasons for Noncompliance

Although the ICP itself requires the plan to be updated annually, BCDA does not have any policies and procedures that provide for this update or monitoring controls to ensure that it is done. According to BCDA officials, BCDA hired a third-party contractor to review the ICP and help identify necessary changes to ensure compliance with CTR’s Internal Control Guide in September 2017. As of September 14, 2018, BCDA’s ICP was still being reviewed by the contractor.

Recommendations

  1. BCDA should immediately update its ICP to include all the critical components of ERM.
  2. BCDA should establish policies and procedures for annually updating its ICP, as well as monitoring controls to ensure that these policies and procedures are adhered to.

Auditee’s Response

Our ICP was last formally updated in June 2016. [At the beginning of the audit], we proactively explained that we were in the process of a complete review and possible overhaul of the entire ICP, using the Comptroller’s model for a risk assessment and mitigation process. As part of our annual review in June 2017, we decided to use outside counsel to assist us in updating personnel policies and procedures that were integrated and referenced in our ICP. Although this process was started in June 2017, the first mutually convenient time for all parties to begin the review and provide staff trainings was not until December 2017 and the draft product from outside counsel was not received until June 2018. This delay in receiving the information, coupled with the transition to a new District Attorney in March 2018, further complicated the completion of the annual ICP updates as required.

I would like to further note that the ICP currently in place does contain strong policies, procedures and controls and the delays in updating the plan have not left the Office in any kind of jeopardy. It was our intent to further strengthen these procedures but the comprehensive updates we envisioned are a time-consuming process that we were not able to accomplish in the required time period due to the delays in obtaining policy reviews and the transition to new administration in March, 2018.

The results of the November 2018 general election have resulted in another change in leadership to the Berkshire [County] District Attorney’s Office. We have advised the newly elected District Attorney, Andrea Harrington, of this audit finding and have begun the process of aiding her new administration on their updated Plan with the audit recommendations.

Auditor’s Reply

According to CTR’s Internal Control Guide, an agency’s ICP should be updated at least annually. Although BCDA may have been in the process of updating its ICP during our audit period, it did not do so annually because it does not have any policies and procedures that provide for this update or monitoring controls to ensure that it is performed. Therefore, we again recommend that BCDA implement our recommendations regarding its ICP.

Based on its response, BCDA is taking measures to address our concerns in this area with the newly elected District Attorney.

4.    According to www.coso.org, the organization “is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.”

Date published: January 14, 2019

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback