P

Department of Finance and Administration

1

NASC Annual Conference

Thursday, March 25, 2010

Des Moines, Iowa

Internal Controls & ARRA Monitoring in Mississippi

22

DFA’s Earlier Role As It Related to Internal Controls in State Agencies How to Move Forward Next Steps Taken Mississippi’s Visibility Mississippi Reporting Model Definitions 1512 Reporting Model Memos and Instructions Reporting Observations What Is Our Status? Quality Assurance Plan ARRA Monitoring Fraud, Waste, and Abuse Stimulus360 – Mississippi’s Reporting Solution (Overview) Resources

Key Points

33

•Guidance by DFA on Internal Controls In MAAPP Manual

•Statutes

In 2006 decided DFA needed to place more emphasis on education and training on internal controls and compliance with laws and regulations at the agency level.

DFA’s Earlier Role As It Related to Internal Controls in State Agencies

4

How to Move Forward

Strengthen the internal control sections of the MAAPP manual and make them more “user-friendly”.

Place emphasis on internal controls at the agency level. Alert agency executive directors and other agency managers of managements’ responsibility related to internal control requirements.

Provide training on internal controls for agency staff and ongoing technical assistance.

4

5

Enforce requirement of written annual internal control assessment by agency management providing assurances on internal control.

Consider statutory revisions addressing changes needed in regard to annual assessment/assurances and reporting to DFA.

Develop pre-audit criteria that would allow selection of types of documents and volume percentages of review by BFC.

5

How to Move Forward

6

How to Move Forward

Establish pre-audit criteria for each agency based upon strength of that agency’s internal control system.

Upgrade staff qualification requirements and associated salary levels to allow the hiring of individuals who could provide training to agencies on internal control and who could audit the agency assessments of their internal control to determine validity.

6

7

Next Steps Taken

Held meeting for agency executive and finance directors on internal controls and risk and SAS 112 in February, 2007

Issued updated MAAPP manual sections which included interactive risk assessments during 2008

DFA Executive Director issued memo requiring agencies to develop internal control plan and submit risk assessments and certification annually in February, 2009

7

8

Next Steps Taken

Agencies were required to submit risk assessments and certification letter by June 1, 2009

Agency Training September, 2009 for agencies on SAS 112/115 and Risk Assessments

Next assessment and certification was due December 31, 2009

8

9

Next Steps Taken

Agencies were required to submit risk assessments and certification letter by June 1, 2009

Agency Training September, 2009 for agencies on SAS 112/115 and Risk Assessments

Next assessment and certification was due December 31, 2009

9

10

Language from Letter

“Agencies are required to develop a written internal control plan. Information on how to prepare an agency Internal control plan is provided in Sub-Section 30.30.20 of the Internal Control Section of the MAAPP Manual. Agencies are also required to maintain adequate written documentation for activities conducted in connection with risk assessments, internal control reviews and follow-up actions. This documentation is to be available for review by agency management, the Office of State Auditor and DFA-OFM.”

10

11

Language from Letter

“Annually, each agency director and chief financial officer shall sign and submit a letter to DFA-OFM certifying that internal controls within the agency have been evaluated in accordance with guidelines established. See example of letter located in Sub-Section 30.20.20 of the Internal Control Section of the MAAPP Manual. This letter will report the results of the agency's compliance, including an attached summary description of material internal control weaknesses and significant deficiencies, if any, and a brief corrective action plan.”

11

1212

This Control Implemented and Operating Effectively Agree/Disagree Comments

1. Job descriptions (and other documents that define key position duties/requirements) are current, accurate, and understood.

3 - Somewhat agree We are in the process of updating our job descriptions. We recently purchased a software program that will assist in making sure that adequate ADA language is included,etc.

2. There is a mechanism in place to keep the job descriptions current, accurate, and understood.

4 - Agree We need to do a better job to ensure that our job descriptions are kept current. The Executive Director has appointed the Communications Officer to lead the effort to bring the job descriptions up-to-date.

3. Job knowledge/skill requirements realistically match the organization and position’s needs.

5 - Strongly agree

4. Management has the specialized knowledge, experience, and training required to perform their duties and does not rely extensively on technical specialists or outside consultants.

4 - Agree We do hire several outside consultants throughout each fiscal year to help in the technology area. We have only 3 employees in this area and they are responsible for keeping all divisions and locations' networks up and running.

5. Employees are properly trained and are capable of performing all jobs within your division.

4 - Agree We are working to strengthen training on new computers and computer applications.

6. Employees are committed to excellence in performing their jobs.

5 - Strongly agree Employees at the agency are very professional and are committed to excellence.

7. Individual performance targets focus on both the long- and short-term and address a broad spectrum of criteria (e.g., quality, productivity, leadership, teamwork, and self-development).

5 - Strongly agree Each division is responsible for providing the executive director with 4 or more goals above and beyond normal job duties that they will strive to achieve during the upcoming fiscal year. These goals may be either short or long-term.

Conclusions Reached and Actions Needed:

Our management has a high commitment to professional and technical competence. However, we need to do a better job in keeping our job descriptions current. XYZ, DEF, and ABC on 5/12/09 and 5/28/2009.

Exhibit 4: Management’s Commitment to Professional and Technical Competence

1313

Mississippi’s Visibility

Round 6 focused on the One Year Anniversary of the Recovery Act and began in late February.

1414

Centralized vs. DecentralizedMississippi’s 1512 Reporting Model – Decentralized

State’s prime recipients “push the button” to submit

Mississippi’s Software Tool – Stimulus360Centralized tool but reporting still decentralized!Deployment scheduled to support April 2010 (2010Q1) 1512 Reports

Mississippi Reporting Model

15

Stimulus360 Mississippi’s Reporting Solution Overview

15

1616

Prime Recipient DefinitionWho Is the State

SAAS AgenciesIncludes State Ports (Gulfport, Yellow Creek)Includes the Board for the Institutions of Higher LearningIncludes the Board for the Community and Junior Colleges

How is PRIME defined at this level?State is the StateLead Agency

Sets the rules for State Agencies receiving sub-allocations (part of PRIME) Sets the rules for the sub-recipients Collects all the info Files the 1512 Report for the Federal Award

Mississippi Reporting Model Definitions

1717

Prime Recipient DefinitionWho Is Not the State (i.e. “non-State”)

Everyone ElseInstitutions of Higher Education (Universities and Colleges)CAFR Component UnitsCities and CountiesLocal School DistrictsMunicipal and County Ports and Airport AuthoritiesFinancial Authorities (Development Bank, Business Finance Corp)MIB, Prison Industries


1818

Prime Recipient DefinitionIf non-State entities are PRIME recipients

File 1512 on their own April 2010 Reporting

Follow same process as January 2010 for 2009Q4 Send a copy to [email protected]

July 2010 Reporting Provided option to move to STIMULUS360

Reports posted on www.stimulus.ms.gov If non-State are sub-recipients of the State

Follow the procedures of the State Lead Agency for each specific Federal Award


1919

Who Are the Mississippi PlayersStatewide

Office of the GovernorStimulus Coordinator for the State

Amanda Jones, Counsel to Governor Haley BarbourDepartment of Finance and Administration/OFM

Monitoring State AgenciesInternal Controls/Quality Assurance

Department of Finance and Administration/MMRSToolsData RepositoryPolicies and Procedures Repository

Department of Finance and Administration/OB&FMState Fiscal Stabilization Funds Lead Agency on behalf of the Governor

Office of the State AuditorAudits State AgenciesSingle AuditMonitoring for all but State levelPerformance AuditsInvestigation of Fraud and Abuse


2020

Who Are Agency / Governmental Entity PlayersMany Players

Executive DirectorProgram Manager for the Federal AwardFinance and Accounting Staff1512 Report Preparers

Recommendation – No more that 1 Federal Award per Preparer1512 Report Reviewers

Recommendation – No more than 2-3 Federal Awards per ReviewerInternal Auditor


2121

Key IssuesCommunicate with sub-recipients (and if a State Agency with other State entities receiving sub-allocations)Set standards and timelines and stick to themKeep up with the constant changes by the federal granting agenciesNo decisions can be made in a vacuum

Program and Finance/Accounting staff must be on the same page!Every decision reduced to writing

Document! Document! Document!Maintain copies of other documentation supporting all decisions

Make sure the documentation is for a resource authorized to make their answer stand up

Work papers must be orderly, accessible, and auditable!


2222

Federal Agency

Prime Recipient (Lead Agency)

Sub-recipients Vendors

Sub-allocated to state agency(Reports Data to Lead Agency as

Part of Prime Recipient)

Vendors

Sub-recipients Vendors

Vendors

1512 Reporting Model

23

Easy Way To Policies and Procedures

Memos and Instructions

24


2525

All Stimulus communications are published under the link of “Find ARRA Policies and Procedures” at www.stimulus.ms.gov

Notification emails issued to State agencies and other known entities regarding new communications

New memos added on a regular basis Memos modified as required (and flagged as “Revised”):

Sub-allocations vs. sub-recipients (state agency to state agency) due to the definition of the State (ARRA Reporting Guidance v2 and Memo #1)

CFDA Recovery Programs (OMB Supplement #1) (Memo #6) Purchasing Law Changes (Memo #9) Updated chart of enhancements to SAAS with anticipated dates

(Memo #13) Additional categories of contracts in the Award/Contract Interface

and corrections to the chart of points of entry (Memo #17) Stimulus360 Demo and Required Training… (Memo #30)


26

Reporting ObservationsThe State’s View

2727

Required Executive Directors to sign Certification

I, (agency director), hereby certify to the Mississippi Department ofFinance and Administration (DF A) that American Reinvestment and Recovery Act (ARRA) funds accepted and disbursed by (agency name) will be spent as responsibly and effectively as possible while maintaining the appropriate controls and reporting mechanisms to ensure accountability and transparency in compliance with ARRA. I understand that my agency may not accept nor escalate ARRA funds unless this certification is made to DFA; that failure tosubmit required reports or information may result in the loss of the agency's ability to expend Stimulus funds; and that a copy of this certification will be placed on file with the Office of the Governor and posted on stimulus.ms.gov.

In addition, I certify compliance with the following:1) pursuant to Title , Subtitle __ , Section(s) of the American Recovery andReinvestment Act (Public Law 111-5 (February 17, 2009)) ("ARRA"), _(type of) investments funded with amounts appropriated by ARRA under the heading:_________ (Program Name) to the (Federal Agency) will receive the full review and vetting required by law and that I accept responsibilitythat such investments of ARRA funds will be appropriate uses of taxpayer dollars;

MISSISSIPPI AGENCY CERTIFICATION UNDERTHE AMERICAN RECOVERY AND REINVESTMENT ACT

2828

2) the specific information required by Section(s) and Section 1512 concerning each such investment is in strict accordance with federal ARRA requirements and in accordance with the guidelines issued by DFA to meet reporting requirements;3) accept responsibility for communicating with respective federal agency(ies) to ensure we remain in compliance with all requirements of ARRA and will communicate those requirements to DFA in a timely manner;4) risks are or will be identified and internal controls which are sufficient to mitigate the risk of waste, fraud, and abuse are or will be implemented;5) prior audit findings, if applicable, have been addressed and corrective action plans implemented;6) the certification currently made on documents submitted to DFA for payment is inclusive of the following for ARRA funds:

a. the claims are just, due, correct and unpaid;b. the goods sold or services rendered have been delivered or performed in good order;c. all statutory requirements covering the payment of this claim have been complied with,

i. all state statutory and regulatory requirements have been ,complied with;ii. all federal statutory and regulatory requirements have been complied with;iii. all grant-specific requirement have been complied with; andiv. all ARRA-specific requirements have been complied with.

MISSISSIPPI AGENCY CERTIFICATION UNDERTHE AMERICAN RECOVERY AND REINVESTMENT ACT

29

Quality Assurance Plan

Mississippi is a ‘De-Centralized State’ for ARRA 1512 Reporting. Heads of prime recipient entities are responsible for compliance with

ARRA policies and procedures and Section 1512 reporting. DFA, on behalf of the Governor, developed Mississippi’s Quality

Assurance Plan for State Agencies includes instructions and checklists for both preparers and reviewers

Office of State Auditor who has monitoring oversight over federal fund recipients not in State level government and has audit responsibilities for all federal funds received in Mississippi (including investigative powers) has similar questionnaires posted on the OSA website

30

Quality Assurance“Data quality is an important responsibility of key stakeholders identified in the Recovery Act. Prime recipients, as owners of the data submitted, have the principal responsibility for the quality of the information submitted.”

Source: Implementing Guidance for Reports on Use of Funds Pursuant to the American Recovery and Reinvestment Act of 2009, OMB, June 22, 2009

31

Mississippi’s 1512 Quality Assurance Plan:

Decentralized Reporting Mississippi’s 1512 Quality Assurance Plan:

Decentralized Reporting

AGENCY PREPARERAGENCY PREPARER

AGENCY COMPLIANCE

DESIGNEE

AGENCY COMPLIANCE

DESIGNEE

DFA QA DFA QA TEAMTEAM

DFA QA DFA QA TEAMTEAM

Drives testing and decisions at an Agency level with oversight from DFA 1512 Team

AGENCY REVIEWERAGENCY REVIEWER

Inte

rnal

Contro

ls

Audit Activities

AGENCYAGENCY EXECUTIVE DIRECTOREXECUTIVE DIRECTOR

This process works regardless of whether a State agency, County,

Municipality, School District, IHE, Non-profit

32

Control Activities – These policies and procedures help ensure management directives are carried out

Information and Communication – Pertinent information must be identified, captured and communicated in a form and time frame that supports all other control components

Monitoring – Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time

Control Environment – The control environment sets the tone of an organization, influencing the control consciousness of its people

Risk Assessment – Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level

Internal Control - Integrated Framework, COSO

Quality Assurance – COSO

33

Leveraging Activities to Help Ensure Maximum Coverage without Redundancy

Who Activity Control Components

Preparer

Compiles information from: programs, SAAS, subrecipients, suballocants and vendors & completes supporting schedules

Prepares reporting template Maintains sufficient documentation for

review/ verification Completes preparer’s checklist

Control Activities

Information and Communication

Reviewer

Re-performs and verifies data elements against supporting docs

Completes reviewer’s checklist Documents issues and exceptions

Control Activities

34



Compliance Designee

Assumes responsibility for compliance with all ARRA rules & regulations (i.e., reporting, monitoring and oversight of program compliance)

Reviews the check-list prepared by reviewer

Oversees corrective action

Control Environment


Internal Audit *

Performs risk based reviews Leverages checklist Ties to source on a sample basis Reports on control and compliance

weaknesses

Risk Assessment Monitoring

* Internal Audit cannot design or perform specific control activities. Internal Audit’s role is to* Internal Audit cannot design or perform specific control activities. Internal Audit’s role is to

monitor the overall effectiveness of the controls established and executed by management.monitor the overall effectiveness of the controls established and executed by management.

35



Executive Director

Ultimately responsible for all agency activity and compliance.

Control Environment


External

QA Team

(DFA for agencies; OSA

for others;

Some external auditors for

certain entities)

Establishes procedures for recording

& tracking ARRA funds

Disseminates information, guidance &

rules to agencies

Reviews compliance with 1512

reporting requirements

Emphasizes agency internal controls

Monitors agency ARRA compliance

Assists GAO in its review & reporting

Risk Assessment Control Activities Monitoring Information &

Communication Control

Environment

36

ARRA Monitoring

A Risk Assessment Spreadsheet was used to assign risk to each grant

Financial Risk (maximum 25 points)1512 Expended Amount 12/31/09

1512 Reporting Compliance (used checklist)

Internal Control Risk (maximum 35 points)Single Audit Findings

OMB/GAO Risk

Other Reports

12/31/09 Risk Assessments

36

37

ARRA Monitoring

A Risk Assessment Spreadsheet was used to assign risk to each grant

Public Interest Risk (maximum 10 points)All Executive Agencies considered medium at a minimum

Public records request or inquiries

Operational Risk (maximum 30 points)Time to spend funds

Subrecipient Type

Subrecipient Count

Discretion

New Program

Type of Expenditure

Overall Risk (maximum 100 points)37

38

ARRA Monitoring

Interviews were conducted with each agency receiving ARRA funds – 23 agencies and 67 grants

KPMG was given agencies’ 12/31/09 assessments

Overall risk assessment score and individual assessment scores determined order agency onsite monitoring will occur

38

39

ARRA Monitoring

Template developed for agency field workGovernance/Oversight/Management

Human Capital

General Accounting

Purchasing and DisbursementsProcurement/Acquisition

Allowable Costs – Activities Allowed or Unallowed

Fixed Assets

Disbursements

Cash ReceiptsGeneral

Cash Management

Program Income39

40

ARRA Monitoring

Template developed for agency field workGrants Management

Program Requirements

Matching Requirements

Eligible Activities

Eligible Participants (selection of subrecipients)

ReportingARRA 1512 Reporting

Performance and Other Reporting

GAAP Financial Statement Reporting

Subrecipient Monitoring

40

41

ARRA Monitoring

Template developed for agency field workDavis-Bacon Act Compliance

Contract Monitoring

Information Systems

Special Provisions/Additional Steps

41

42

Waste, Fraud and Abuse

Source: Recovery.gov 2/16/2010

43

Waste, Fraud and Abuse

See Recovery.gov for the complete list of disclosure

protections.

Source: Recovery.gov 2/16/2010

4444

DFA Home Pagehttp://www.dfa.state.ms.us/index.htm

MAAPP Manual http://www.dfa.state.ms.us/Offices/OFM/MAAPP.htm

OFM Internal Control Memos & Presentations http://www.dfa.state.ms.us/Offices/OFM/OFM.htm

MS Stimulus.govhttp://stimulus.ms.gov/msgo/mssr.nsf

Stimulus Policies and Procedures for Agencieshttp://www.mmrs.state.ms.us/statewide_applications/Stimulus/Stimulus_Policies_and_Procedures.shtml

Resources

45

Internal Controls & ARRA Monitoring in Mississippi

Leila MalatestaOffice of Fiscal Management, Director

Department of Finance and Administration601-359-3405

[email protected]

NASC Annual ConferenceThursday, March 25, 2010

Des Moines, Iowa

P

Documents

Transcript of P