The Internal Control Plan for the Hampden County Probate and Family Court Register’s Office Did Not Cover All Required Components and Principles.

The internal control plan (ICP) for the Hampden County Probate and Family Court (HCPFC) Register’s Office did not cover all the components and principles of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) enterprise risk management framework. A lack of a compliant ICP impedes the ability of the HCPFC Register’s Office to identify vulnerabilities that could prevent it from achieving organizational goals and exposes it to heightened risks in its operations.

Six of the eight components were not complete, and 9 of the 17 principles were not complete. The incomplete areas are described below, in the terms used in the “Internal Control Plan Checklist” section of the Office of the Comptroller of the Commonwealth’s (CTR’s) Internal Control Guide:

• The Internal Environment component was missing the following principles from the Internal Control Guide: “Tone at the Top, Mission Statement, Ethical Expectations, Standards, and Adherence to Conduct.”
• The Objective Setting component was missing descriptions of how “Goals and Objectives are defined, and aligned to the Mission Statement,” discussed in the Internal Control Guide.
• The Event Identification component was missing the identification of “risks that may impede the achievement of each objective” and the “[link] to objectives,” described in the Internal Control Guide.
• The Control Activities component was missing descriptions of “policies and procedures” and “Preventive and Detective controls,” discussed in the Internal Control Guide.
• The Information and Communication component was missing information about how “quality information is generated for and/or from both external and internal sources” and how “internal communication is disseminated throughout the organization, and information to external parties is appropriately communicated,” described in the Internal Control Guide.
• The Monitoring component was missing documentation of how HCPFC evaluates “whether each of the components of [the enterprise risk management framework] is present and functioning,” described in the Internal Control Guide.

The “Internal Control Plan Checklist” section of CTR’s Internal Control Guide states that an ICP should cover the following areas, steps, and questions, which are based on COSO’s enterprise risk management framework:

1. Internal Environment—Leadership demonstrates a commitment to integrity, ethical values and competence
   1. Tone at the Top, Mission Statement, Ethical Expectations, Standards and Adherence to Conduct. . . .
2. Objective Setting—measurable targets or purpose of the organization’s efforts
   1. Goals and Objectives are defined, and aligned to the Mission Statement
3. Event Identification—occurrences that could prohibit the accomplishment of objectives
   1. Have risks that may impede the achievement of each objective been identified?
   2. Are risks linked to objectives? . . .
4. Control Activities—mitigation steps that are linked to risk events
   1. Policies and procedures
   2. Preventive and Detective controls. . . .
5. Information and Communication—internal and external
   1. Information—quality information is generated for and/or from both external and internal sources
   2. Communication—internal communication is disseminated throughout the organization, and information to external parties is appropriately communicated
6. Monitoring—each component is evaluated to keep the Internal Control Plan up to date

a.   Ongoing and separate evaluations are used to ascertain whether each of the components of [enterprise risk management] is present and functioning.

Officials at the HCPFC Register’s Office told us that the office’s previous administration was responsible for creating and updating the ICP.

The HCPFC Register’s Office should update its ICP to include all required components and principles of COSO’s enterprise risk management framework.

To address this issue, a staff member has been given the responsibility to review the Internal Control Plan on a quarterly basis and update accordingly, with immediate attention given to the areas identified as incomplete.

Specifically, regarding information and Communication—internal/external:

Once weekly the Office Manager will have a meeting either in-person or virtual with department supervisors. Minutes from the meeting will be emailed to the First Assistant Register, Assistant Register and communicated with the Register. All minutes will be retained and kept in a log for review.

All communication regarding time-off, and any other office procedures, processes and information will be emailed to the appropriate staff member and kept in a log for review.

Based on its response, HCPFC is taking measures to address our concerns on this matter.