There Were Deficiencies in DOS’s Internal Control Plan

DOS’s internal control plan (ICP), an agency-wide document that summarizes risks and controls for all of its business processes, is not updated annually; it was last updated in August 2015. In addition, the ICP does not consider, or adequately address, two critical components of enterprise risk management (ERM) as required by the Comptroller of the Commonwealth (CTR): risk assessment and monitoring. The ICP did not identify specific risks associated with DOS’s program for inspecting weighing and measuring devices in towns with 5,000 or fewer inhabitants, which it must do in order to develop effective internal control procedures, and did not include ways to monitor and evaluate the effectiveness of controls. Without an adequately documented system of internal controls, DOS risks not meeting all of its operational objectives economically and efficiently or complying with state laws, regulations, other authoritative guidance, or grants and other contractual agreements.

Under Chapter 647 of the Acts of the 1989, every executive agency must review its ICP annually and update it as necessary and ensure that it conforms to CTR guidelines.

The CTR Internal Control Guide issued in June 2015 states,

Departments are obligated to revise their ICPs whenever significant changes occur in objectives, risks, management structure, program scope, etc. At the very least, the ICP must be reviewed and updated annually. . . .

Each department’s internal control plan will be unique; however, it must be based on the ERM framework.

In its 2017 document Enterprise Risk Management—Integrating with Strategy and Performance, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as follows:

The culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.

To comply with CTR’s Internal Control Guide, an ICP must contain information on the five components of ERM: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting. COSO guidance states that all components of an internal control system must be present, functioning properly, and operating together in an integrated manner to be effective.

In addition, CTR’s Internal Control Guide requires that ICPs incorporate a risk assessment that includes the likelihood and potential impact of risks.

DOS’s director indicated that he is aware of and assesses the risks associated with DOS’s activities but does not document them in the agency’s ICP. The director could not give us any documentation to substantiate that he had conducted a risk assessment. DOS does not have any policies and procedures related to the annual review of its ICP that would establish, among other things, how the process is to be conducted and documented, what are the timelines for completing the process, and which agency staff members are responsible for conducting the review.

1. DOS should take the measures necessary to ensure that its ICP complies with CTR’s Internal Control Guide.
2. DOS should establish policies and procedures for the annual review of its ICP as well as monitoring controls to ensure that these policies and procedures are adhered to.

A copy of the ICP was last updated on December 12, 2017 and a copy was provided to the auditors. In addition the division has complied with the comptroller’s requirement of filing the [Internal Control Questionnaire] in May of 2018. It is at this time that we review and update the ICP if necessary.

DOS did provide us with a copy of its most recent ICP. However, our review of this document indicated that it did not comply with CTR’s Internal Control Guide in that it did not contain the five components of ERM: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting.

The ICP also did not include a risk assessment that included the likelihood and potential impact of risks. Based on the problems we found in this area, we again urge DOS to implement our recommendations on this matter.