P
description
Transcript of P
Department of Finance and Administration
1
NASC Annual Conference
Thursday, March 25, 2010
Des Moines, Iowa
Internal Controls & ARRA Monitoring in Mississippi
22
DFA’s Earlier Role As It Related to Internal Controls in State Agencies How to Move Forward Next Steps Taken Mississippi’s Visibility Mississippi Reporting Model Definitions 1512 Reporting Model Memos and Instructions Reporting Observations What Is Our Status? Quality Assurance Plan ARRA Monitoring Fraud, Waste, and Abuse Stimulus360 – Mississippi’s Reporting Solution (Overview) Resources
Key Points
33
•Guidance by DFA on Internal Controls In MAAPP Manual
•Statutes
In 2006 decided DFA needed to place more emphasis on education and training on internal controls and compliance with laws and regulations at the agency level.
DFA’s Earlier Role As It Related to Internal Controls in State Agencies
4
How to Move Forward
Strengthen the internal control sections of the MAAPP manual and make them more “user-friendly”.
Place emphasis on internal controls at the agency level. Alert agency executive directors and other agency managers of managements’ responsibility related to internal control requirements.
Provide training on internal controls for agency staff and ongoing technical assistance.
4
5
Enforce requirement of written annual internal control assessment by agency management providing assurances on internal control.
Consider statutory revisions addressing changes needed in regard to annual assessment/assurances and reporting to DFA.
Develop pre-audit criteria that would allow selection of types of documents and volume percentages of review by BFC.
5
How to Move Forward
6
How to Move Forward
Establish pre-audit criteria for each agency based upon strength of that agency’s internal control system.
Upgrade staff qualification requirements and associated salary levels to allow the hiring of individuals who could provide training to agencies on internal control and who could audit the agency assessments of their internal control to determine validity.
6
7
Next Steps Taken
Held meeting for agency executive and finance directors on internal controls and risk and SAS 112 in February, 2007
Issued updated MAAPP manual sections which included interactive risk assessments during 2008
DFA Executive Director issued memo requiring agencies to develop internal control plan and submit risk assessments and certification annually in February, 2009
7
8
Next Steps Taken
Agencies were required to submit risk assessments and certification letter by June 1, 2009
Agency Training September, 2009 for agencies on SAS 112/115 and Risk Assessments
Next assessment and certification was due December 31, 2009
8
9
Next Steps Taken
Agencies were required to submit risk assessments and certification letter by June 1, 2009
Agency Training September, 2009 for agencies on SAS 112/115 and Risk Assessments
Next assessment and certification was due December 31, 2009
9
10
Language from Letter
“Agencies are required to develop a written internal control plan. Information on how to prepare an agency Internal control plan is provided in Sub-Section 30.30.20 of the Internal Control Section of the MAAPP Manual. Agencies are also required to maintain adequate written documentation for activities conducted in connection with risk assessments, internal control reviews and follow-up actions. This documentation is to be available for review by agency management, the Office of State Auditor and DFA-OFM.”
10
11
Language from Letter
“Annually, each agency director and chief financial officer shall sign and submit a letter to DFA-OFM certifying that internal controls within the agency have been evaluated in accordance with guidelines established. See example of letter located in Sub-Section 30.20.20 of the Internal Control Section of the MAAPP Manual. This letter will report the results of the agency's compliance, including an attached summary description of material internal control weaknesses and significant deficiencies, if any, and a brief corrective action plan.”
11
1212
This Control Implemented and Operating Effectively Agree/Disagree Comments
1. Job descriptions (and other documents that define key position duties/requirements) are current, accurate, and understood.
3 - Somewhat agree We are in the process of updating our job descriptions. We recently purchased a software program that will assist in making sure that adequate ADA language is included,etc.
2. There is a mechanism in place to keep the job descriptions current, accurate, and understood.
4 - Agree We need to do a better job to ensure that our job descriptions are kept current. The Executive Director has appointed the Communications Officer to lead the effort to bring the job descriptions up-to-date.
3. Job knowledge/skill requirements realistically match the organization and position’s needs.
5 - Strongly agree
4. Management has the specialized knowledge, experience, and training required to perform their duties and does not rely extensively on technical specialists or outside consultants.
4 - Agree We do hire several outside consultants throughout each fiscal year to help in the technology area. We have only 3 employees in this area and they are responsible for keeping all divisions and locations' networks up and running.
5. Employees are properly trained and are capable of performing all jobs within your division.
4 - Agree We are working to strengthen training on new computers and computer applications.
6. Employees are committed to excellence in performing their jobs.
5 - Strongly agree Employees at the agency are very professional and are committed to excellence.
7. Individual performance targets focus on both the long- and short-term and address a broad spectrum of criteria (e.g., quality, productivity, leadership, teamwork, and self-development).
5 - Strongly agree Each division is responsible for providing the executive director with 4 or more goals above and beyond normal job duties that they will strive to achieve during the upcoming fiscal year. These goals may be either short or long-term.
Conclusions Reached and Actions Needed:
Our management has a high commitment to professional and technical competence. However, we need to do a better job in keeping our job descriptions current. XYZ, DEF, and ABC on 5/12/09 and 5/28/2009.
Exhibit 4: Management’s Commitment to Professional and Technical Competence
1313
Mississippi’s Visibility
Round 6 focused on the One Year Anniversary of the Recovery Act and began in late February.
1414
Centralized vs. DecentralizedMississippi’s 1512 Reporting Model – Decentralized
State’s prime recipients “push the button” to submit
Mississippi’s Software Tool – Stimulus360Centralized tool but reporting still decentralized!Deployment scheduled to support April 2010 (2010Q1) 1512 Reports
Mississippi Reporting Model
15
Stimulus360 Mississippi’s Reporting Solution Overview
15
1616
Prime Recipient DefinitionWho Is the State
SAAS AgenciesIncludes State Ports (Gulfport, Yellow Creek)Includes the Board for the Institutions of Higher LearningIncludes the Board for the Community and Junior Colleges
How is PRIME defined at this level?State is the StateLead Agency
Sets the rules for State Agencies receiving sub-allocations (part of PRIME) Sets the rules for the sub-recipients Collects all the info Files the 1512 Report for the Federal Award
Mississippi Reporting Model Definitions
1717
Prime Recipient DefinitionWho Is Not the State (i.e. “non-State”)
Everyone ElseInstitutions of Higher Education (Universities and Colleges)CAFR Component UnitsCities and CountiesLocal School DistrictsMunicipal and County Ports and Airport AuthoritiesFinancial Authorities (Development Bank, Business Finance Corp)MIB, Prison Industries
Mississippi Reporting Model Definitions
1818
Prime Recipient DefinitionIf non-State entities are PRIME recipients
File 1512 on their own April 2010 Reporting
Follow same process as January 2010 for 2009Q4 Send a copy to [email protected]
July 2010 Reporting Provided option to move to STIMULUS360
Reports posted on www.stimulus.ms.gov If non-State are sub-recipients of the State
Follow the procedures of the State Lead Agency for each specific Federal Award
Mississippi Reporting Model Definitions
1919
Who Are the Mississippi PlayersStatewide
Office of the GovernorStimulus Coordinator for the State
Amanda Jones, Counsel to Governor Haley BarbourDepartment of Finance and Administration/OFM
Monitoring State AgenciesInternal Controls/Quality Assurance
Department of Finance and Administration/MMRSToolsData RepositoryPolicies and Procedures Repository
Department of Finance and Administration/OB&FMState Fiscal Stabilization Funds Lead Agency on behalf of the Governor
Office of the State AuditorAudits State AgenciesSingle AuditMonitoring for all but State levelPerformance AuditsInvestigation of Fraud and Abuse
Mississippi Reporting Model Definitions
2020
Who Are Agency / Governmental Entity PlayersMany Players
Executive DirectorProgram Manager for the Federal AwardFinance and Accounting Staff1512 Report Preparers
Recommendation – No more that 1 Federal Award per Preparer1512 Report Reviewers
Recommendation – No more than 2-3 Federal Awards per ReviewerInternal Auditor
Mississippi Reporting Model Definitions
2121
Key IssuesCommunicate with sub-recipients (and if a State Agency with other State entities receiving sub-allocations)Set standards and timelines and stick to themKeep up with the constant changes by the federal granting agenciesNo decisions can be made in a vacuum
Program and Finance/Accounting staff must be on the same page!Every decision reduced to writing
Document! Document! Document!Maintain copies of other documentation supporting all decisions
Make sure the documentation is for a resource authorized to make their answer stand up
Work papers must be orderly, accessible, and auditable!
Mississippi Reporting Model Definitions
2222
Federal Agency
Prime Recipient (Lead Agency)
Sub-recipients Vendors
Sub-allocated to state agency(Reports Data to Lead Agency as
Part of Prime Recipient)
Vendors
Sub-recipients Vendors
Vendors
1512 Reporting Model
23
Easy Way To Policies and Procedures
Memos and Instructions
24
Memos and Instructions
2525
All Stimulus communications are published under the link of “Find ARRA Policies and Procedures” at www.stimulus.ms.gov
Notification emails issued to State agencies and other known entities regarding new communications
New memos added on a regular basis Memos modified as required (and flagged as “Revised”):
Sub-allocations vs. sub-recipients (state agency to state agency) due to the definition of the State (ARRA Reporting Guidance v2 and Memo #1)
CFDA Recovery Programs (OMB Supplement #1) (Memo #6) Purchasing Law Changes (Memo #9) Updated chart of enhancements to SAAS with anticipated dates
(Memo #13) Additional categories of contracts in the Award/Contract Interface
and corrections to the chart of points of entry (Memo #17) Stimulus360 Demo and Required Training… (Memo #30)
Memos and Instructions
26
Reporting ObservationsThe State’s View
2727
Required Executive Directors to sign Certification
I, (agency director), hereby certify to the Mississippi Department ofFinance and Administration (DF A) that American Reinvestment and Recovery Act (ARRA) funds accepted and disbursed by (agency name) will be spent as responsibly and effectively as possible while maintaining the appropriate controls and reporting mechanisms to ensure accountability and transparency in compliance with ARRA. I understand that my agency may not accept nor escalate ARRA funds unless this certification is made to DFA; that failure tosubmit required reports or information may result in the loss of the agency's ability to expend Stimulus funds; and that a copy of this certification will be placed on file with the Office of the Governor and posted on stimulus.ms.gov.
In addition, I certify compliance with the following:1) pursuant to Title , Subtitle __ , Section(s) of the American Recovery andReinvestment Act (Public Law 111-5 (February 17, 2009)) ("ARRA"), _(type of) investments funded with amounts appropriated by ARRA under the heading:_________ (Program Name) to the (Federal Agency) will receive the full review and vetting required by law and that I accept responsibilitythat such investments of ARRA funds will be appropriate uses of taxpayer dollars;
MISSISSIPPI AGENCY CERTIFICATION UNDERTHE AMERICAN RECOVERY AND REINVESTMENT ACT
2828
2) the specific information required by Section(s) and Section 1512 concerning each such investment is in strict accordance with federal ARRA requirements and in accordance with the guidelines issued by DFA to meet reporting requirements;3) accept responsibility for communicating with respective federal agency(ies) to ensure we remain in compliance with all requirements of ARRA and will communicate those requirements to DFA in a timely manner;4) risks are or will be identified and internal controls which are sufficient to mitigate the risk of waste, fraud, and abuse are or will be implemented;5) prior audit findings, if applicable, have been addressed and corrective action plans implemented;6) the certification currently made on documents submitted to DFA for payment is inclusive of the following for ARRA funds:
a. the claims are just, due, correct and unpaid;b. the goods sold or services rendered have been delivered or performed in good order;c. all statutory requirements covering the payment of this claim have been complied with,
i. all state statutory and regulatory requirements have been ,complied with;ii. all federal statutory and regulatory requirements have been complied with;iii. all grant-specific requirement have been complied with; andiv. all ARRA-specific requirements have been complied with.
MISSISSIPPI AGENCY CERTIFICATION UNDERTHE AMERICAN RECOVERY AND REINVESTMENT ACT
29
Quality Assurance Plan
Mississippi is a ‘De-Centralized State’ for ARRA 1512 Reporting. Heads of prime recipient entities are responsible for compliance with
ARRA policies and procedures and Section 1512 reporting. DFA, on behalf of the Governor, developed Mississippi’s Quality
Assurance Plan for State Agencies includes instructions and checklists for both preparers and reviewers
Office of State Auditor who has monitoring oversight over federal fund recipients not in State level government and has audit responsibilities for all federal funds received in Mississippi (including investigative powers) has similar questionnaires posted on the OSA website
30
Quality Assurance“Data quality is an important responsibility of key stakeholders identified in the Recovery Act. Prime recipients, as owners of the data submitted, have the principal responsibility for the quality of the information submitted.”
Source: Implementing Guidance for Reports on Use of Funds Pursuant to the American Recovery and Reinvestment Act of 2009, OMB, June 22, 2009
31
Mississippi’s 1512 Quality Assurance Plan:
Decentralized Reporting Mississippi’s 1512 Quality Assurance Plan:
Decentralized Reporting
AGENCY PREPARERAGENCY PREPARER
AGENCY COMPLIANCE
DESIGNEE
AGENCY COMPLIANCE
DESIGNEE
DFA QA DFA QA TEAMTEAM
DFA QA DFA QA TEAMTEAM
Drives testing and decisions at an Agency level with oversight from DFA 1512 Team
AGENCY REVIEWERAGENCY REVIEWER
Inte
rnal
Contro
ls
Audit Activities
AGENCYAGENCY EXECUTIVE DIRECTOREXECUTIVE DIRECTOR
This process works regardless of whether a State agency, County,
Municipality, School District, IHE, Non-profit
32
Control Activities – These policies and procedures help ensure management directives are carried out
Information and Communication – Pertinent information must be identified, captured and communicated in a form and time frame that supports all other control components
Monitoring – Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time
Control Environment – The control environment sets the tone of an organization, influencing the control consciousness of its people
Risk Assessment – Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level
Internal Control - Integrated Framework, COSO
Quality Assurance – COSO
33
Leveraging Activities to Help Ensure Maximum Coverage without Redundancy
Who Activity Control Components
Preparer
Compiles information from: programs, SAAS, subrecipients, suballocants and vendors & completes supporting schedules
Prepares reporting template Maintains sufficient documentation for
review/ verification Completes preparer’s checklist
Control Activities
Information and Communication
Reviewer
Re-performs and verifies data elements against supporting docs
Completes reviewer’s checklist Documents issues and exceptions
Control Activities
34
Leveraging Activities to Help Ensure Maximum Coverage without Redundancy
Who Activity Control Components
Compliance Designee
Assumes responsibility for compliance with all ARRA rules & regulations (i.e., reporting, monitoring and oversight of program compliance)
Reviews the check-list prepared by reviewer
Oversees corrective action
Control Environment
Information and Communication
Internal Audit *
Performs risk based reviews Leverages checklist Ties to source on a sample basis Reports on control and compliance
weaknesses
Risk Assessment Monitoring
* Internal Audit cannot design or perform specific control activities. Internal Audit’s role is to* Internal Audit cannot design or perform specific control activities. Internal Audit’s role is to
monitor the overall effectiveness of the controls established and executed by management.monitor the overall effectiveness of the controls established and executed by management.
35
Leveraging Activities to Help Ensure Maximum Coverage without Redundancy
Who Activity Control Components
Executive Director
Ultimately responsible for all agency activity and compliance.
Control Environment
Information and Communication
External
QA Team
(DFA for agencies; OSA
for others;
Some external auditors for
certain entities)
Establishes procedures for recording
& tracking ARRA funds
Disseminates information, guidance &
rules to agencies
Reviews compliance with 1512
reporting requirements
Emphasizes agency internal controls
Monitors agency ARRA compliance
Assists GAO in its review & reporting
Risk Assessment Control Activities Monitoring Information &
Communication Control
Environment
36
ARRA Monitoring
A Risk Assessment Spreadsheet was used to assign risk to each grant
Financial Risk (maximum 25 points)1512 Expended Amount 12/31/09
1512 Reporting Compliance (used checklist)
Internal Control Risk (maximum 35 points)Single Audit Findings
OMB/GAO Risk
Other Reports
12/31/09 Risk Assessments
36
37
ARRA Monitoring
A Risk Assessment Spreadsheet was used to assign risk to each grant
Public Interest Risk (maximum 10 points)All Executive Agencies considered medium at a minimum
Public records request or inquiries
Operational Risk (maximum 30 points)Time to spend funds
Subrecipient Type
Subrecipient Count
Discretion
New Program
Type of Expenditure
Overall Risk (maximum 100 points)37
38
ARRA Monitoring
Interviews were conducted with each agency receiving ARRA funds – 23 agencies and 67 grants
KPMG was given agencies’ 12/31/09 assessments
Overall risk assessment score and individual assessment scores determined order agency onsite monitoring will occur
38
39
ARRA Monitoring
Template developed for agency field workGovernance/Oversight/Management
Human Capital
General Accounting
Purchasing and DisbursementsProcurement/Acquisition
Allowable Costs – Activities Allowed or Unallowed
Fixed Assets
Disbursements
Cash ReceiptsGeneral
Cash Management
Program Income39
40
ARRA Monitoring
Template developed for agency field workGrants Management
Program Requirements
Matching Requirements
Eligible Activities
Eligible Participants (selection of subrecipients)
ReportingARRA 1512 Reporting
Performance and Other Reporting
GAAP Financial Statement Reporting
Subrecipient Monitoring
40
41
ARRA Monitoring
Template developed for agency field workDavis-Bacon Act Compliance
Contract Monitoring
Information Systems
Special Provisions/Additional Steps
41
42
Waste, Fraud and Abuse
Source: Recovery.gov 2/16/2010
43
Waste, Fraud and Abuse
See Recovery.gov for the complete list of disclosure
protections.
Source: Recovery.gov 2/16/2010
4444
DFA Home Pagehttp://www.dfa.state.ms.us/index.htm
MAAPP Manual http://www.dfa.state.ms.us/Offices/OFM/MAAPP.htm
OFM Internal Control Memos & Presentations http://www.dfa.state.ms.us/Offices/OFM/OFM.htm
MS Stimulus.govhttp://stimulus.ms.gov/msgo/mssr.nsf
Stimulus Policies and Procedures for Agencieshttp://www.mmrs.state.ms.us/statewide_applications/Stimulus/Stimulus_Policies_and_Procedures.shtml
Resources
45
Internal Controls & ARRA Monitoring in Mississippi
Leila MalatestaOffice of Fiscal Management, Director
Department of Finance and Administration601-359-3405
NASC Annual ConferenceThursday, March 25, 2010
Des Moines, Iowa