Department of Finance and Administration

1

NASC Annual Conference

Friday, March 25, 2011

Phoenix, Arizona

The Mississippi Experience

22

NASC Multi-State Consortium on Internal Control

Purpose

History

Tools Mississippi’s Internal Control Journey

DFA’s Initial Role in Internal Control

How We Planned to Move Forward

Steps That Were Taken

ARRA Monitoring of Internal Controls

Where Are We Now and Where Do We Go from Here Resources

Key Points

33

First conference call meeting of the Multi-State Consortium on Internal Control (MSC) was convened October, 2006

Goals were developed

Vision and Mission Statements were crafted

NASC Multi-State Consortium on Internal Control

44

Vision Statement: To provide a low cost COSO/CobiT-based Web-enabled enterprise risk assessment and monitoring tool to state and local governments.

Mission Statement: The Multi-State Consortium on Internal Control’s mission is to educate and support the use of good internal controls. It is our goal to achieve standardization, consistency, and expand utilization by providing a low cost, accessible mechanism for establishing, assessing, monitoring, and reporting on enterprise risk for governments.

NASC Multi-State Consortium on Internal Control

5

Control Activities – These policies and procedures help ensure management directives are carried out

Information and Communication – Pertinent information must be identified, captured and communicated in a form and time frame that supports all other control components

Monitoring – Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time

Control Environment – The control environment sets the tone of an organization, influencing the control consciousness of its people

Risk Assessment – Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level

Internal Control - Integrated Framework, COSO

Quality Assurance – COSO

66

Implement SAS 112 and improve state documentation of internal controls

Open dialogue and sharing among states

Post various state statutes related to Internal Controls on NASC web site

Post state internal control documents on NASC web site

Research automated tool to standardize and monitor internal controls

Invite various vendors to demo GRC software

Demo Massachusetts online Assessment Tool

Develop Guidebook, Glossary, and Internal Control Questionnaire

NASC Multi-State Consortium on Internal Control

77

October, 2006, the first conference call meeting of the Multi-State Consortium on Internal Control (MSC) was convened and it was determined what the group wanted to gain from their participation in the MSC

Open dialogue and sharing among states Post various state statutes on NASC web site Automated tool to standardize and monitor internal control Invite various vendors to demo GRC software Eventually participants decided their respective states did not have the funds to

purchase GRC software at that time

NASC Multi-State Consortium on Internal Control

88

NASC Multi-State Consortium on Internal Control

99

•Guidance by DFA on Internal Controls In MAAPP Manual

•Statutes

In 2006 DFA decided to place more emphasis on education and training on internal controls and compliance with laws and regulations at the agency level.

MS DFA’s Role As It Related to Internal Controls in State Agencies

10

Plan to Move Forward

Strengthen the internal control sections of the MAAPP manual and make them more “user-friendly”.

Emphasize internal controls at the agency level. Alert agency executive directors and other agency managers of managements’ responsibility related to internal control requirements.

Provide training on internal controls for agency staff and ongoing technical assistance.

10

11

Enforce requirement of written annual internal control assessment by agency management providing assurances on internal control.

Consider statutory revisions addressing changes needed in regard to annual assessment/assurances and reporting to DFA.

Develop pre-audit criteria that would allow selection of types of documents and volume percentages of review by BFC.

11

Plan to Move Forward

12

Plan to Move Forward

Establish pre-audit criteria for each agency based upon strength of that agency’s internal control system.

Upgrade staff qualification requirements and associated salary levels to allow the hiring of individuals who could provide training to agencies on internal control and who could audit the agency assessments of their internal control to determine validity.

12

13

Next Steps Taken

Held meeting for agency executive and finance directors on internal controls and risk and SAS 112 in February, 2007

Issued updated MAAPP manual sections which included interactive risk assessments during 2008

DFA Executive Director issued memo requiring agencies to develop internal control plan and submit risk assessments and certification annually in February, 2009

13

14

Next Steps Taken

Agencies were required to submit first risk assessments and certification letter by June 1, 2009

Agency Training September, 2009 for agencies on SAS 112/115 and Risk Assessments

Next assessments and certification was due December 31, 2009

Contracted with KPMG to assist DFA in monitoring of agency internal controls over ARRA funds

Most recent assessments were due from agencies December 31, 2010

14

15

Language from February, 2009 DFA Executive Director Letter

“Agencies are required to develop a written internal control plan. Information on how to prepare an agency Internal control plan is provided in Sub-Section 30.30.20 of the Internal Control Section of the MAAPP Manual. Agencies are also required to maintain adequate written documentation for activities conducted in connection with risk assessments, internal control reviews and follow-up actions. This documentation is to be available for review by agency management, the Office of State Auditor and DFA-OFM.”

15

16

“Annually, each agency director and chief financial officer shall sign and submit a letter to DFA-OFM certifying that internal controls within the agency have been evaluated in accordance with guidelines established. See example of letter located in Sub-Section 30.20.20 of the Internal Control Section of the MAAPP Manual. This letter will report the results of the agency's compliance, including an attached summary description of material internal control weaknesses and significant deficiencies, if any, and a brief corrective action plan.”

16

Language from February, 2009 DFA Executive Director Letter

1717

This Control Implemented and Operating Effectively Agree/Disagree Comments

1. Job descriptions (and other documents that define key position duties/requirements) are current, accurate, and understood.

3 - Somewhat agree We are in the process of updating our job descriptions. We recently purchased a software program that will assist in making sure that adequate ADA language is included,etc.

2. There is a mechanism in place to keep the job descriptions current, accurate, and understood.

4 - Agree We need to do a better job to ensure that our job descriptions are kept current. The Executive Director has appointed the Communications Officer to lead the effort to bring the job descriptions up-to-date.

3. Job knowledge/skill requirements realistically match the organization and position’s needs.

5 - Strongly agree

4. Management has the specialized knowledge, experience, and training required to perform their duties and does not rely extensively on technical specialists or outside consultants.

4 - Agree We do hire several outside consultants throughout each fiscal year to help in the technology area. We have only 3 employees in this area and they are responsible for keeping all divisions and locations' networks up and running.

5. Employees are properly trained and are capable of performing all jobs within your division.

4 - Agree We are working to strengthen training on new computers and computer applications.

6. Employees are committed to excellence in performing their jobs.

5 - Strongly agree Employees at the agency are very professional and are committed to excellence.

7. Individual performance targets focus on both the long- and short-term and address a broad spectrum of criteria (e.g., quality, productivity, leadership, teamwork, and self-development).

5 - Strongly agree Each division is responsible for providing the executive director with 4 or more goals above and beyond normal job duties that they will strive to achieve during the upcoming fiscal year. These goals may be either short or long-term.

Conclusions Reached and Actions Needed:

Our management has a high commitment to professional and technical competence. However, we need to do a better job in keeping our job descriptions current. XYZ, DEF, and ABC on 5/12/09 and 5/28/2009.

Exhibit 4: Management’s Commitment to Professional and Technical Competence

1818

Agency Y – 2009Control Environment Assessment ToolsExhibit 2: Management’s Philosophy

1919

Agency Y – 2010Control Environment Assessment ToolsExhibit 2: Management’s Philosophy

2020

Agency Z – 2009Control Environment Assessment ToolsExhibit 2: Management’s Philosophy

2121

Agency Z – 2010Control Environment Assessment ToolsExhibit 2: Management’s Philosophy

2222

Agency Response to Internal ControlsDecember, 2010

2323

Agencies contracting for assistance completing the IC Assessment

2009 six agencies (4 large, 1 medium, and 1 small)

2010 three agencies (2 large and 1 medium)

Agency Commitment

2424

Pre-Audit Selection Table

2525

Pre-Audit Selection Table Example

26

ARRA Monitoring

A Risk Assessment Spreadsheet was used to assign risk to each grant

Financial Risk (maximum 25 points)1512 Expended Amount 12/31/09

1512 Reporting Compliance (used checklist)

Internal Control Risk (maximum 35 points)Single Audit Findings

OMB/GAO Risk

Other Reports

12/31/09 Risk Assessments

26

27

ARRA Monitoring

A Risk Assessment Spreadsheet was used to assign risk to each grant

Public Interest Risk (maximum 10 points)All Executive Agencies considered medium at a minimum

Public records request or inquiries

Operational Risk (maximum 30 points)Time to spend funds

Subrecipient Type

Subrecipient Count

Discretion

New Program

Type of Expenditure

Overall Risk (maximum 100 points)27

28

ARRA Monitoring

Interviews were conducted with each agency receiving ARRA funds – 23 agencies and 67 grants

KPMG was given agencies’ 12/31/09 assessments

Overall risk assessment score and individual assessment scores determined order agency onsite monitoring was performed

28

29

ARRA Monitoring

Template developed for agency field workGovernance/Oversight/Management

Human Capital

General Accounting

Purchasing and DisbursementsProcurement/Acquisition

Allowable Costs – Activities Allowed or Unallowed

Fixed Assets

Disbursements

Cash ReceiptsGeneral

Cash Management

Program Income29

30

ARRA Monitoring

Template developed for agency field workGrants Management

Program Requirements

Matching Requirements

Eligible Activities

Eligible Participants (selection of subrecipients)

ReportingARRA 1512 Reporting

Performance and Other Reporting

GAAP Financial Statement Reporting

Subrecipient Monitoring

30

31

ARRA Monitoring

Template developed for agency field work

Davis-Bacon Act Compliance

Contract Monitoring

Information Systems

Special Provisions/Additional Steps

31

3232

Observations are communicated to each agency during an exit interview conducted by both DFA and KPMG

Agencies are verbally provided with next steps related to the observations

Agencies are sent a letter by DFA detailing the observations, leading practices of the agency, and next steps

ARRA Monitoring

3333

Agencies are more focused on internal controls:

Develop internal control plansAssess risk and submit to DFASubmit agency director certifications to DFAMonitor ARRA grants

Where We Are

3434

NASC Multi-State Consortium on Internal Control http://nasact.org/nasc/committees/multistate/index.cfm

DFA Home Pagehttp://www.dfa.state.ms.us/index.htm

MAAPP Manual http://www.dfa.state.ms.us/Offices/OFM/MAAPP.htm

OFM Internal Control Memos & Presentations http://www.dfa.state.ms.us/Offices/OFM/OFM.htm

Resources

35

The Mississippi Experience

Leila MalatestaOffice of Fiscal Management, Director

Department of Finance and Administration601-359-3405

malatel@dfa.state.ms.us

NASC Annual ConferenceFriday, March 25, 2011

Phoenix, Arizona