Date post: | 27-Mar-2015 |
Category: |
Documents |
Upload: | jenna-garza |
View: | 213 times |
Download: | 0 times |
Department of Finance and Administration
1
NASC Annual Conference
Friday, March 25, 2011
Phoenix, Arizona
The Mississippi Experience
22
NASC Multi-State Consortium on Internal Control
Purpose
History
Tools Mississippi’s Internal Control Journey
DFA’s Initial Role in Internal Control
How We Planned to Move Forward
Steps That Were Taken
ARRA Monitoring of Internal Controls
Where Are We Now and Where Do We Go from Here Resources
Key Points
33
First conference call meeting of the Multi-State Consortium on Internal Control (MSC) was convened October, 2006
Goals were developed
Vision and Mission Statements were crafted
NASC Multi-State Consortium on Internal Control
44
Vision Statement: To provide a low cost COSO/CobiT-based Web-enabled enterprise risk assessment and monitoring tool to state and local governments.
Mission Statement: The Multi-State Consortium on Internal Control’s mission is to educate and support the use of good internal controls. It is our goal to achieve standardization, consistency, and expand utilization by providing a low cost, accessible mechanism for establishing, assessing, monitoring, and reporting on enterprise risk for governments.
NASC Multi-State Consortium on Internal Control
5
Control Activities – These policies and procedures help ensure management directives are carried out
Information and Communication – Pertinent information must be identified, captured and communicated in a form and time frame that supports all other control components
Monitoring – Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time
Control Environment – The control environment sets the tone of an organization, influencing the control consciousness of its people
Risk Assessment – Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level
Internal Control - Integrated Framework, COSO
Quality Assurance – COSO
66
Implement SAS 112 and improve state documentation of internal controls
Open dialogue and sharing among states
Post various state statutes related to Internal Controls on NASC web site
Post state internal control documents on NASC web site
Research automated tool to standardize and monitor internal controls
Invite various vendors to demo GRC software
Demo Massachusetts online Assessment Tool
Develop Guidebook, Glossary, and Internal Control Questionnaire
NASC Multi-State Consortium on Internal Control
77
October, 2006, the first conference call meeting of the Multi-State Consortium on Internal Control (MSC) was convened and it was determined what the group wanted to gain from their participation in the MSC
Open dialogue and sharing among states Post various state statutes on NASC web site Automated tool to standardize and monitor internal control Invite various vendors to demo GRC software Eventually participants decided their respective states did not have the funds to
purchase GRC software at that time
NASC Multi-State Consortium on Internal Control
88
NASC Multi-State Consortium on Internal Control
99
•Guidance by DFA on Internal Controls In MAAPP Manual
•Statutes
In 2006 DFA decided to place more emphasis on education and training on internal controls and compliance with laws and regulations at the agency level.
MS DFA’s Role As It Related to Internal Controls in State Agencies
10
Plan to Move Forward
Strengthen the internal control sections of the MAAPP manual and make them more “user-friendly”.
Emphasize internal controls at the agency level. Alert agency executive directors and other agency managers of managements’ responsibility related to internal control requirements.
Provide training on internal controls for agency staff and ongoing technical assistance.
10
11
Enforce requirement of written annual internal control assessment by agency management providing assurances on internal control.
Consider statutory revisions addressing changes needed in regard to annual assessment/assurances and reporting to DFA.
Develop pre-audit criteria that would allow selection of types of documents and volume percentages of review by BFC.
11
Plan to Move Forward
12
Plan to Move Forward
Establish pre-audit criteria for each agency based upon strength of that agency’s internal control system.
Upgrade staff qualification requirements and associated salary levels to allow the hiring of individuals who could provide training to agencies on internal control and who could audit the agency assessments of their internal control to determine validity.
12
13
Next Steps Taken
Held meeting for agency executive and finance directors on internal controls and risk and SAS 112 in February, 2007
Issued updated MAAPP manual sections which included interactive risk assessments during 2008
DFA Executive Director issued memo requiring agencies to develop internal control plan and submit risk assessments and certification annually in February, 2009
13
14
Next Steps Taken
Agencies were required to submit first risk assessments and certification letter by June 1, 2009
Agency Training September, 2009 for agencies on SAS 112/115 and Risk Assessments
Next assessments and certification was due December 31, 2009
Contracted with KPMG to assist DFA in monitoring of agency internal controls over ARRA funds
Most recent assessments were due from agencies December 31, 2010
14
15
Language from February, 2009 DFA Executive Director Letter
“Agencies are required to develop a written internal control plan. Information on how to prepare an agency Internal control plan is provided in Sub-Section 30.30.20 of the Internal Control Section of the MAAPP Manual. Agencies are also required to maintain adequate written documentation for activities conducted in connection with risk assessments, internal control reviews and follow-up actions. This documentation is to be available for review by agency management, the Office of State Auditor and DFA-OFM.”
15
16
“Annually, each agency director and chief financial officer shall sign and submit a letter to DFA-OFM certifying that internal controls within the agency have been evaluated in accordance with guidelines established. See example of letter located in Sub-Section 30.20.20 of the Internal Control Section of the MAAPP Manual. This letter will report the results of the agency's compliance, including an attached summary description of material internal control weaknesses and significant deficiencies, if any, and a brief corrective action plan.”
16
Language from February, 2009 DFA Executive Director Letter
1717
This Control Implemented and Operating Effectively Agree/Disagree Comments
1. Job descriptions (and other documents that define key position duties/requirements) are current, accurate, and understood.
3 - Somewhat agree We are in the process of updating our job descriptions. We recently purchased a software program that will assist in making sure that adequate ADA language is included,etc.
2. There is a mechanism in place to keep the job descriptions current, accurate, and understood.
4 - Agree We need to do a better job to ensure that our job descriptions are kept current. The Executive Director has appointed the Communications Officer to lead the effort to bring the job descriptions up-to-date.
3. Job knowledge/skill requirements realistically match the organization and position’s needs.
5 - Strongly agree
4. Management has the specialized knowledge, experience, and training required to perform their duties and does not rely extensively on technical specialists or outside consultants.
4 - Agree We do hire several outside consultants throughout each fiscal year to help in the technology area. We have only 3 employees in this area and they are responsible for keeping all divisions and locations' networks up and running.
5. Employees are properly trained and are capable of performing all jobs within your division.
4 - Agree We are working to strengthen training on new computers and computer applications.
6. Employees are committed to excellence in performing their jobs.
5 - Strongly agree Employees at the agency are very professional and are committed to excellence.
7. Individual performance targets focus on both the long- and short-term and address a broad spectrum of criteria (e.g., quality, productivity, leadership, teamwork, and self-development).
5 - Strongly agree Each division is responsible for providing the executive director with 4 or more goals above and beyond normal job duties that they will strive to achieve during the upcoming fiscal year. These goals may be either short or long-term.
Conclusions Reached and Actions Needed:
Our management has a high commitment to professional and technical competence. However, we need to do a better job in keeping our job descriptions current. XYZ, DEF, and ABC on 5/12/09 and 5/28/2009.
Exhibit 4: Management’s Commitment to Professional and Technical Competence
1818
Agency Y – 2009Control Environment Assessment ToolsExhibit 2: Management’s Philosophy
1919
Agency Y – 2010Control Environment Assessment ToolsExhibit 2: Management’s Philosophy
2020
Agency Z – 2009Control Environment Assessment ToolsExhibit 2: Management’s Philosophy
2121
Agency Z – 2010Control Environment Assessment ToolsExhibit 2: Management’s Philosophy
2222
Agency Response to Internal ControlsDecember, 2010
2323
Agencies contracting for assistance completing the IC Assessment
2009 six agencies (4 large, 1 medium, and 1 small)
2010 three agencies (2 large and 1 medium)
Agency Commitment
2424
Pre-Audit Selection Table
2525
Pre-Audit Selection Table Example
26
ARRA Monitoring
A Risk Assessment Spreadsheet was used to assign risk to each grant
Financial Risk (maximum 25 points)1512 Expended Amount 12/31/09
1512 Reporting Compliance (used checklist)
Internal Control Risk (maximum 35 points)Single Audit Findings
OMB/GAO Risk
Other Reports
12/31/09 Risk Assessments
26
27
ARRA Monitoring
A Risk Assessment Spreadsheet was used to assign risk to each grant
Public Interest Risk (maximum 10 points)All Executive Agencies considered medium at a minimum
Public records request or inquiries
Operational Risk (maximum 30 points)Time to spend funds
Subrecipient Type
Subrecipient Count
Discretion
New Program
Type of Expenditure
Overall Risk (maximum 100 points)27
28
ARRA Monitoring
Interviews were conducted with each agency receiving ARRA funds – 23 agencies and 67 grants
KPMG was given agencies’ 12/31/09 assessments
Overall risk assessment score and individual assessment scores determined order agency onsite monitoring was performed
28
29
ARRA Monitoring
Template developed for agency field workGovernance/Oversight/Management
Human Capital
General Accounting
Purchasing and DisbursementsProcurement/Acquisition
Allowable Costs – Activities Allowed or Unallowed
Fixed Assets
Disbursements
Cash ReceiptsGeneral
Cash Management
Program Income29
30
ARRA Monitoring
Template developed for agency field workGrants Management
Program Requirements
Matching Requirements
Eligible Activities
Eligible Participants (selection of subrecipients)
ReportingARRA 1512 Reporting
Performance and Other Reporting
GAAP Financial Statement Reporting
Subrecipient Monitoring
30
31
ARRA Monitoring
Template developed for agency field work
Davis-Bacon Act Compliance
Contract Monitoring
Information Systems
Special Provisions/Additional Steps
31
3232
Observations are communicated to each agency during an exit interview conducted by both DFA and KPMG
Agencies are verbally provided with next steps related to the observations
Agencies are sent a letter by DFA detailing the observations, leading practices of the agency, and next steps
ARRA Monitoring
3333
Agencies are more focused on internal controls:
Develop internal control plansAssess risk and submit to DFASubmit agency director certifications to DFAMonitor ARRA grants
Where We Are
3434
NASC Multi-State Consortium on Internal Control http://nasact.org/nasc/committees/multistate/index.cfm
DFA Home Pagehttp://www.dfa.state.ms.us/index.htm
MAAPP Manual http://www.dfa.state.ms.us/Offices/OFM/MAAPP.htm
OFM Internal Control Memos & Presentations http://www.dfa.state.ms.us/Offices/OFM/OFM.htm
Resources
35
The Mississippi Experience
Leila MalatestaOffice of Fiscal Management, Director
Department of Finance and Administration601-359-3405
NASC Annual ConferenceFriday, March 25, 2011
Phoenix, Arizona