There Were Deficiencies in DLR’s Internal Control Plan (ICP).

DLR did not annually update its internal control plan (ICP), an agency-wide document that summarizes risks and controls for all of its business processes. DLR’s ICP was last updated in June 2015. In addition, the ICP does not consider, or adequately address, three critical components of enterprise risk management (ERM) as required by the Office of the Comptroller of the Commonwealth (CTR): (1) control activities, (2) information and communication, and (3) monitoring. The ICP did not identify specific control activities associated with DLR’s program for resolving cases managed by the department, which it should do in order to address risks identified, and did not address information and communication or monitoring and evaluating the effectiveness of controls. Without an adequately documented system of internal controls, DLR risks not meeting all of its operational objectives economically and efficiently or complying with state laws, regulations, and other authoritative guidance.

Under Chapter 647 of the Acts of 1989, every executive agency must review its ICP annually, update it as necessary, and ensure that it conforms to CTR guidelines.

In addition, the CTR Internal Control Guide issued in June 2015 states,

Departments are obligated to revise their ICPs whenever significant changes occur in objectives, risks, management structure, program scope, etc. At the very least, the ICP must be reviewed and updated annually. . . .

To be considered compliant, a department’s Internal Control Plan must contain the eight components of [the Committee of Sponsoring Organizations of the Treadway Commission’s] ERM Framework:

Internal Environment

1. Objective Setting
2. Event Identification
3. Risk Assessment
4. Risk Response
5. Control Activities
6. Information and Communication
7. Monitoring. . . .

Each department’s internal control plan will be unique; however, it must be based on the ERM framework.

In its 2017 document Enterprise Risk Management—Integrating with Strategy and Performance, the Committee of Sponsoring Organizations of the Treadway Commission¹⁴ (COSO) defines ERM as follows:

The culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.

COSO guidance states that all components of an internal control system must be present, functioning properly, and operating together in an integrated manner to be effective.

DLR’s acting director indicated that he was aware of, and considered, the risks associated with DLR’s activities but did not document them in the ICP. In addition, DLR does not have any policies and procedures related to the annual review of its ICP that would establish, among other things, how it conducts and documents the process, what is the timeline for completing it, and which staff members are responsible for performing it.

1. DLR should take the measures necessary to ensure that its ICP complies with CTR’s Internal Control Guide.
2. DLR should establish policies and procedures for the annual review of its ICP as well as monitoring controls to ensure that these policies and procedures are adhered to.

DLR is currently working with the [Executive Office of Labor and Workforce Development’s] Department of Internal Control and Security to ensure its ICP complies with the Office of the Comptroller of the Commonwealth’s Internal Control Guide. The DLR will review and update the ICP on an annual basis in conjunction with the completion of the Comptroller's annual Internal Control Questionnaire and certification, or more frequently if required by operational changes.