Office of the Attorney General
October 10, 2013 · Read the full official report (PDF) ↗
source
“Except for the issues addressed in the Audit Findings section of this report, for the period July 1, 2010 through June 30, 2012, the AGO maintained adequate internal controls over its financial operations and program activities and complied with applicable laws, rules, and regulations for the areas tested.”
Read the plain-English breakdown
This is a performance audit of the Massachusetts Attorney General's Office covering July 1, 2010 through June 30, 2012.
“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, we conducted a performance audit at the Attorney General’s Office (AGO) for the period July 1, 2010 through June 30, 2012.”
Auditors reviewed whether the office had proper internal controls, including controls over revenue, spending, public charity operations, fixed assets, and computer access.
“Our audit was initiated to determine whether the AGO’s internal control structure was suitably designed and to assess the adequacy of controls over its operations, including internal controls over financial records pertaining to revenue and expenditures.”
The Attorney General's Office handles lawsuits involving the Commonwealth and manages sensitive case information, public money, and state property.
“The AGO is responsible for representing the Commonwealth in all lawsuits and civil proceedings in which the Commonwealth is an interested party.”
For an ordinary resident, the audit is about whether a major state office is protecting public money, state equipment, and sensitive legal information properly.
“The AGO’s case-management system consists of separate application modules used to manage information related to civil and criminal cases.”
The biggest problem was that former employees still appeared on active user lists, including some with high-level access, even though auditors found no evidence of unauthorized access.
“Our test of system access security controls revealed that 143 former AGO employees, including 56 with high-level access privileges to the AGO’s case-management database system, remained on the active user list.”
The findings matter because weak controls can increase the risk of lost checks, lost revenue, unauthorized internal access, or poor tracking of state assets.
“Without the AGO’s performing an annual physical inventory and reconciliation and adhering to the OSC Fixed Asset Accounting and Management Policy, there is the potential for Commonwealth assets to be improperly safeguarded against loss, theft, or misuse and the inability to verify that its inventory system of record and the Fixed Asset Subsystem are complete, accurate, and up to date.”
A 'GAAP fixed asset' means a significant long-term item the state owns, such as land, buildings, vehicles, equipment, or computer systems, that must be recorded and tracked under accounting rules.
“The Commonwealth defines GAAP fixed assets as all tangible property (real and personal) such as land, buildings, computer software and systems, landmarks, infrastructure and equipment, etc., with a useful life of more than one year.”
3 figure(s) pending source verification - not shown
What the Auditor checked
- Partially Determine whether the AGO took appropriate corrective action regarding prior deficiencies in revenue controls and registration and filing-fee operations of the Not-for-Profit Organizations / Public Charities Division.
- Partially Determine whether the AGO took appropriate corrective action regarding prior deficiencies in controls over fixed-asset management.
- Partially Determine whether the AGO’s overall internal control structure was suitably designed and implemented to support its operations.
- Complied Determine whether the NPO/PCD has established and implemented adequate internal controls over its program operations.
- Did not comply Determine whether system access security controls over the case-management application database were suitably designed and implemented to ensure that access privileges to the application system were being properly safeguarded and restricted to authorized users.
What the Auditor found
Why it matters: Confidential and sensitive case-management information could be vulnerable to unauthorized internal access.
Standard: AGO internal control plan and COBIT IT security control framework ( Control Objectives for Information and Related Technology (COBIT) )
Agency response & Auditor reply
Agency: "The AGO has deactivated the accounts of former employees and has created a periodic review and reconciliation procedure which is also now reflected in the AGO’s ICP."
Auditor: "Based on its response, we believe that, by strengthening internal controls over its system user accounts, the AGO is taking appropriate measures to address concerns we identified."
Why it matters: Late processing increases the risk that checks may be misplaced or lost and that revenue due to the Commonwealth may be lost.
Standard: AGO internal controls and OSC Cash Recognition and Reconciliation Policy ( OSC Cash Recognition and Reconciliation Policy; Chapter 30, Section 27, of the Massachusetts General Laws )
2 recommendations
- More closely monitor procedures to ensure checks are sent to the Budget Division within one business day of receipt.
- If daily remittance is impractical, seek an exception from the Executive Office of Administration and Finance and the Office of the State Treasurer.
Agency response & Auditor reply
Agency: "The AGO is seeking from the State Treasurer an exception from the requirement per the same statute that establishes the requirement, M.G.L. c. 30, § 27."
Why it matters: The AGO could not ensure that Commonwealth fixed assets were safeguarded against loss, theft, or misuse or that inventory records were complete, accurate, and current.
Standard: OSC Fixed Assets – Accounting and Management Policy ( OSC Fixed Assets – Accounting and Management Policy )
2 recommendations
- Develop and implement policies, procedures, and internal controls to ensure an annual physical inventory and reconciliation is conducted and documented on or around June 30 each fiscal year.agency: already implemented
- Assign a unique asset identification number to each GAAP and non-GAAP fixed asset.
Agency response & Auditor reply
Agency: "The AGO will run a report based on its perpetual inventory system and reconcile physically its fixed assets to the report on or about June 30 of each year."
Auditor: "Based on its response, we are pleased that the AGO is taking measures to improve its classification of fixed assets and strengthen internal controls by conducting and documenting an annual physical inventory and reconciliation process."
Why it matters: The value of fixed assets could be understated and depreciation expenses distorted in the statewide CAFR.
Standard: OSC Fixed Asset Accounting and Management Policy and Fixed Assets – Acquisition Policy ( OSC Fixed Asset Accounting and Management Policy; OSC Fixed Assets – Acquisition Policy )
2 recommendations
- Establish and implement internal controls to follow OSC inventory and reporting policies for fixed assets, especially GAAP fixed assets, and record GAAP fixed assets in MMARS within seven days of acquisition.
- Review policies and procedures for midyear and annual GAAP fixed-asset reviews and determine whether additional controls are needed to ensure accurate confirmation forms.
Agency response & Auditor reply
Agency: "With respect to the second GAAP fixed asset, the EMC storage unit lease, the AGO did not enter the lease within seven days of its acquisition because it initially identified the lease as an operating lease."
Auditor: "With regard to the AGO’s telecommunications system, we recognize that on occasion technical malfunctions can take place that may prevent the timely recording of transactions in MMARS."
Prior findings revisited
"Prior Audit Results Partially Resolved"
"Our prior audit report (No. 2003-0072-2S) disclosed that inadequate administrative controls and an outmoded public-charities database had hindered the Not-for-Profit Organizations / Public Charities Division’s (NPO/PCD’s) enforcement of Massachusetts laws requiring accountability by all public charities engaging in charitable work or fundraising in the Commonwealth."
"Our prior audit report disclosed that the AGO had not conducted annual physical inventories and reconciliations or ensured that its inventory records were complete by including total costs and asset identification numbers, as required by the OSC."