Office of the Inspector General - Examination of Annual Internal Control Questionnaire
August 25, 2015 · Office of the Inspector General · Read the full official report (PDF) ↗
source
“OIG’s 2014 ICQ had inaccurate responses on the subjects of its internal control plan (ICP) and risk assessment.”
Read the plain-English breakdown
This is a limited audit of the Massachusetts Office of the Inspector General’s annual Internal Control Questionnaire for the fiscal year that ran from July 1, 2013 through June 30, 2014.
“In accordance with Chapter 11, Section 12, of the Massachusetts General Laws, the Office of the State Auditor has conducted a limited-scope performance audit of certain information reported in the Office of the Inspector General’s1 (OIG’s) ICQ for the period July 1, 2013 through June 30, 2014.”
The audit checked whether the office’s answers to the State Comptroller about internal controls were accurate.
“The objective of our audit was to determine whether certain responses that OIG provided to OSC in its fiscal year 2014 ICQ were accurate.”
If an agency reports inaccurate information about its controls, state officials cannot reliably judge whether the agency has enough safeguards for financial reporting.
“Further, inaccurate information in the ICQ prevents OSC from effectively assessing the adequacy of OIG’s internal control system for the purposes of financial reporting.”
For ordinary residents, this matters because internal controls are the basic safeguards meant to help public agencies use money and authority properly, follow the rules, and reduce risks like mistakes or fraud.
“Without establishing an ICP in accordance with OSC guidelines, OIG may not be able to achieve its mission and objectives effectively; efficiently; and in compliance with applicable laws, rules, and regulations.”
The main problem was not that the auditor tested every control and found them broken; it was that OIG’s paperwork said it met requirements, but the auditor found that some answers were inaccurate or not backed up.
“Some of the information that the Office of the Inspector General (OIG) reported in its Internal Control Questionnaire (ICQ) to the Office of the State Comptroller (OSC) for fiscal year 2014 was inaccurate or not supported by documentation.”
The auditor recommended that OIG fix the issues, follow Comptroller requirements, accurately report its controls and risk assessment, keep a signed certification, and ask the Comptroller for help if needed.
“OIG should take the measures necessary to address the issues we identified during our audit and should ensure that it adheres to all of OSC’s requirements for developing an ICP and accurately reporting information about its ICP and risk assessment on its ICQ.”
The report is significant because the agency that investigates fraud, waste, and abuse was itself found to have inaccurate or unsupported reporting about its own internal-control documentation.
“According to its website, the office has “a broad mandate . . . to prevent and detect fraud, waste, and abuse in government.””
An Internal Control Questionnaire is the yearly form agencies fill out to describe whether their safeguards and procedures are working; an internal control plan is the agency’s written plan for those safeguards.
“Each year, the Office of the State Comptroller (OSC) issues a memorandum (Fiscal Year Update) to internal control officers, single audit liaisons, and chief fiscal officers instructing departments to complete an Internal Control Questionnaire (ICQ) designed to provide an indication of the effectiveness of the Commonwealth’s internal controls.”
What the Auditor checked
- Partially Did the Office of the Inspector General accurately report certain information about its overall internal control system to the Office of the State Comptroller in its 2014 Internal Control Questionnaire?
What the Auditor found
Why it matters: The Office of the State Comptroller could not effectively assess the adequacy of OIG’s internal control system for financial reporting, and OIG may not achieve its mission and objectives effectively or in compliance with applicable requirements.
Standard: Office of the State Comptroller internal control guidelines, ICQ instructions, and COSO enterprise risk management components. ( Chapter 11, Section 12, of the Massachusetts General Laws; Chapter 12A of the Massachusetts General Laws; Chapter 93H, Section 3, of the General Laws; Chapter 93I of the General Laws; Chapter 647 of the Acts of 1989; Chapter 12A of the Massachusetts General Laws and Title 945 of the Code of Massachusetts Regulations )
2 recommendations
- OIG should address the audit issues, follow OSC requirements for developing an internal control plan, accurately report information about its internal control plan and risk assessment on its ICQ, and retain a printed, approver-signed certification copy.agency: agreed
- OIG should request guidance from OSC if necessary.agency: agreed
Agency response & Auditor reply
Agency: "The OIG will revise its ICP."
Auditor: "We believe that OIG’s intention to implement our recommendations concerning the above matters is responsive to our concerns."
More audits of this entity
Other Office of the State Auditor reports on Office of the Inspector General .
- Audit of the Office of the Inspector General (OIG) - Review of Cybersecurity Awareness TrainingState Agency / Office · November 5, 2021