michigan statewide risk assessment

Office of Internal Audit Services Mission

To enhance and protect organizational value by providing Executive branch departments and agencies of the State of Michigan with risk-based, objective and

reliable assurance, advice, and insight

Leadership Courage

Duty

Enthusiasm

Focus

Measures Excellence Integrity

Vision Accountability Collaboration Teamwork

Loyalty Camaraderie Results

DRAFT 2016 Risk Assessment and Plan of Engagements

State of Michigan October 1, 2015 through

September 30, 2016

2016 Risk Assessment and Plan of Engagements

Confidential 2 Draft

TABLE OF CONTENTS Executive Summary 3

Introduction 4 2016 Fiscal Year Appropriation for Office of Internal Audit Services (OIAS) 4 Plan of Engagements 5

Mission, Vision, and Core Principles of OIAS 6 Mission 6 Vision 6 Core Principles 6 Definition of Internal Auditing 7 Purpose 7

Statutory Mandates 7 Governance and Risk Management Approach 10

Enterprise Risk and Control Committee 10 Lines of Defense Model 11

Plan of Engagements Methodology 12 Preparing for the Risk Assessment and Plan of Engagements 13

Consideration of Information Technology Processes 13 Red Card 14 Office of the Auditor General (OAG) Collaboration 14 Office of Good Government (OGG) Collaboration 15 OAG Material Weakness Evaluation 15 Look Back Analysis/Project Carryforward 16 Project Selection and Prioritization Process 16 Risk Factors 17 Planned Engagements 18 Strategic and Operational Excellence 23

Appendix Appendix A – Department Risk Assessment/Heat Maps 24 Appendix B – Agency FY 16 Appropriations vs. Budgeted Audit Hours 42 Appendix C – Listing of OAG Material Weaknesses as of September 30, 2015 43



Executive Summary The Management and Budget Act of 1984 required each principal department within the Executive branch to appoint its own internal auditor. Executive Order (EO) No. 2007-31, effective October 1, 2007, essentially consolidated the internal audit function and established a centralized Office of Internal Audit Services (OIAS) within the State Budget Office (SBO), and transferred the authority, responsibilities, duties, functions, and resourcing for internal audit services to the State Budget Director.

Since the implementation of the EO in 2007, OIAS has been successful in the creation of a centralized internal audit approach and its supporting role in statutory compliance with Michigan Compiled Laws Section 18.1485, as amended by Section 18.46. This law requires each principal department to establish, maintain, and evaluate the sufficiency of its internal control and issue a biennial report to the Governor. The law also requires an independent review by OIAS on the overall adequacy of the departments’ evaluation and reporting processes. This approach, while not exact, has similar overall themes and characteristics to the U.S. federal law enacted by Congress on July 30, 2002 commonly known as the Sarbanes-Oxley Act.

On April 1, 2015, State Budget Director John Roberts and Chief Internal Auditor Jeff Bankowski presented a draft vision and reinvention plan to Governor Rick Snyder and Senior Advisor and Transformation Manager Rich Baird. Key components of the reinvention plan included a “top- down” and “bottom-up” review of the existing internal audit risk methodology, a framework for enhanced collaboration with the Office of Auditor General (OAG) to resolve recurring material weaknesses and reduce duplication of effort, and the creation of an oversight risk committee. The reinvention plan will continue to emphasize traditional internal audit assurance and consulting to the principal departments and agencies, which will include areas such as performance and program assessment, operational excellence, scorecards/metrics, Good Government initiative support, and staff augmentation/risk assessment of the Statewide Integrated Governmental Management Applications (SIGMA) IT system implementation. The newly created Risk Committee will monitor OIAS’s Risk Assessment and Plan of Engagements (the Plan) on a quarterly basis.

Ultimately, it is the desire of the State of Michigan (State) to further capitalize on its significant investment in internal control and strong “tone at the top” to build a leading practice internal audit and risk management process with a long-term goal of OIAS achieving a “trusted advisor” status with its critical stakeholders.

Explanatory Note: The attached document is in draft format subject to review and approval by the Enterprise

Risk and Control Committee (Risk Committee)



Introduction This document provides a written roadmap for the Fiscal Year 2016 Plan. In implementing its mission, OIAS practices conform to the International Standards for Professional Practice of Internal Auditing (Standards) issued by the Institute of Internal Auditors (IIA). IIA Standards require that the Chief Internal Audit Executive establish a risk-based plan to determine the priorities of the internal audit activity consistent with the organization’s goals. This Plan provides our vision of internal audit efforts for the fiscal year, allocating resources to the most critical areas of risk within the State.

OIAS’s overall approach to this document leverages Governor Snyder’s planning approach of “Vision, Engage, Adjust, and Attack.” Our intent of the risk assessment planning process is not to be overly prescriptive on each activity but rather flexible and proactive with our stakeholders due to the changing risk profile and dynamic nature of the State. To illustrate that flexibility, OIAS will provide an update regarding its risk assessment and prioritization process every six months and will adjust the rolling plan based on feedback and approval of the Risk Committee. The projects initially identified for the Plan leveraged a formal risk assessment model that considered input from various stakeholders including the Executive Office of the Governor, the Cabinet members, State agency management, and the State Budget Office. The Risk Committee performs final approval and oversight of the Plan.

2016 Fiscal Year Appropriation for OIAS The total appropriation for OIAS during 2016 amounts to approximately $5.4 million representing no material change from the $5.4 million appropriated in 2015.

Sources of Funding Appropriations FY 2016 FY 2015

General Fund/General Purpose $ 3,272,600 $ 3,549,000 Special Revenue/SWCAP 1,482,400 1,220,600 State Restricted Indirect Funds 617,900 617,900 Total $5,372,900 $5,387,500

Disposition of Appropriations

Category FY 2016 Budget

FY 2015 Incurred

Salaries & Fringes Salaries $ 2,890,231 $ 2,757,936 Longevity 11,510 11,431 Insurance 483,465 452,555 Retirement/FICA 1,797,466 1,665,863 Supplemental Retirement 7,705 30,819

Total Salaries & Fringes $ 5,190,377 $ 4,918,605 Support

Travel $ 9,500 $ 9,500 Conferences and Seminars (Training) 10,000 10,000 IT Expenditures 129,550 132,025 Other Support 33,473 24,600

Total Support $ 182,523 $ 176,125 Total Appropriation $5,372,900 $5,094,730



Plan of Engagements Below is the Internal Audit budgeted hours by activity beginning October 1, 2015 through September 30, 2016. This budget assumes no change in current staffing headcount.

2016 Internal Audit Budgeted Hours by Activity

Activity Hours Activity Hours Engagement Activities 30,876 Infrastructure and Process Improvements 9,980

Operational Excellence / Process reviews Material Weaknesses: Validation Consulting Material Weaknesses: Corrective Action Consultation Assurance Reserve for Agency requests

8,040 7,750 3,400 3,150 1,150 7,386

Strategic Plan Activities Employee training and procedure manual Engagement process improvement - LEAN Corrective Action Monitoring Branding and Stakeholder Survey

TeamMate support and enhancements Engagement quality assurance OIAS Time & Performance Metrics Employee evaluation/performance management Audit & Analytics Computer Environment (AACE) monitoring Data analytics support End User Computing (EUC) coordination

3,400 2,000

600 300 700

1,120 650 500

460 200 50

Statewide Initiatives 3,700 SIGMA Support Enterprise Information Management (EIM)

3,500 200

Risk Assessment and Plan of Engagements 600

Internal Control Evaluation 1,100

ICE Reengineering Central monitoring/support

900 200

Quarterly Reporting to Risk Committee 280 Divisional assessment, measurement, and quarterly comm presentation Report coordination

ittee 200 80 Fraud 700

W2- Reviews Other Planned Engagements Sec 487 (potential irregularities)

300 300 100

General Administration 5,324

Earned Leave / State Holidays 11,000

Departmental Support/Partnership Activities 700 Leave Holidays

7,928 3,072 External audit liaison

Departmental leadership meetings 500 200

Statutory Reporting Responsibilities 550 60-day response and CAP monitoring 550

CAFR/Financial Reporting Responsibilities 1,230 CAFR Support Projects Third Party Service Organization monitoring

1,150 80

Total Hours Available for Plan Total Engagement and Oversight Activities Total Strategic Initiatives Total Professional Development Total Effort Supporting Processes Total General Administration Total Earned Leave / State Holidays

66,040

38,556 4,700 3,000 3,460 5,324

11,000



Eng

Mission, Vision, and Core Principles of OIAS In August 2015, as a follow up to the OIAS reinvention plan presented to the Governor and to conform to revised guidance issued by the IIA, OIAS commenced a structured and disciplined approach to revise, adjust, and affirm, where applicable, its mission, vision, and core principles.

Mission To enhance and protect organizational value by providing Executive branch departments and agencies of the State of Michigan with risk-based, objective and reliable assurance, advice, and insight.

Vision To be regarded as trusted advisors who positively impact the efficiency and effectiveness of services that Executive branch departments and agencies deliver to the citizens of Michigan.

Core Principles The 10 core principles highlight what effective internal auditing looks like in practice as it relates to the individual auditor, the internal audit function, and internal audit outcomes. The 10 OIAS core principles are:

• Demonstrates uncompromised integrity • Demonstrates commitment to competence, accountability, and due professional care • Displays objectivity in mindset and approach and is free from undue influence • Aligns with the strategies, objectives and risks of the Governor & Executive Branch • Is appropriately positioned and adequately resourced • Demonstrates quality, innovation, and continuous improvement • Communicates effectively • Provides risk-based assurance to those charged with governance • Is insightful, proactive, and future-focused • Promotes organizational improvement

Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve the State of Michigan. It helps the State accomplish its objectives by bringing a

TRUSTED ADVISOR

Capable but poorly aligned

Trusted Advisor

Compliance function

aged but not strategic

Relationships

Com

pete

nce



systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Purpose OIAS’s purpose is to help ensure:

• Risks are appropriately identified and managed • Programs, plans, and objectives are achieved • Significant financial and operating information is accurate, reliable, and timely • Resources are acquired economically, used efficiently, and adequately safeguarded • Employees’ actions are in compliance with policies, standards, procedures, and applicable

laws and regulations • Quality and continuous improvement are fostered in the State’s internal control process • Significant legislative or regulatory issues impacting the State are addressed appropriately • Interaction with the various governance groups occurs as needed

Statutory Mandates With respect to its 2016 Plan, OIAS meets the statutory mandates of the required internal audit functions as defined in Michigan Compiled Laws (MCL) Section 18.1486, as amended by Section 18.46. These mandates include:

1. Receive and investigate any allegations that false or misleading information was

received in evaluating a principal department’s internal accounting and administrative control system or in connection with the preparation of the biennial report on the system

Assessment: OIAS has an established process to investigate any allegations with respect to false or misleading information. OIAS, where applicable, collaborates with the Attorney General and Inspector Generals of select departments to ensure any allegations are properly addressed. In addition, departments will next report on their system of internal control in May 2017, and related OIAS efforts will be included in the 2017 Plan.

2. Conduct and supervise audits relating to financial activities of a principal

department’s operations

Assessment: OIAS, in conjunction with the principal departments, has included audits of financial activities in its Plan. In addition, OIAS will conduct select financial activities with respect to the State’s Comprehensive Annual Financial Report (CAFR).

3. Review existing activities and recommend policies designed to promote efficiency in

the administration of a principal department’s programs and operations



Assessment: OIAS, in conjunction with the principal departments, has built a detailed Plan with the intent of recommending policies designed to promote efficiency and effectiveness in the departments’ programs and operations.

4. Recommend policies for activities to protect the State’s assets under the control of a

principal department, and to prevent and detect fraud and abuse in the principal department’s programs and operations

Assessment: OIAS advises principal departments on policies to protect the State’s assets and assesses the risk for fraud and abuse during our engagements. Additionally, OIAS discusses fraud and abuse risk factors in our ongoing interaction with stakeholders and has integrated the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) enhanced fraud risk assessment considerations into the statutorily required enterprise-wide internal control evaluation (ICE) process.

5. Review and recommend activities designed to ensure that a principal department’s

internal financial control and accounting policies are in conformance with applicable accounting directives

Assessment: OIAS, in conjunction with the principal departments and the Office of Financial Management (OFM) within SBO, has built a detailed Plan with the intent of recommending policies designed to promote internal financial control and ensure departments’ accounting policies comply with applicable OFM accounting directives.

6. Provide a means to keep the State Budget Director and the head of a principal

department fully and currently informed about problems and deficiencies relating to the administration of the principal department’s programs and operations, and the necessity for, and progress of, corrective action

Assessment: On a weekly basis, the Chief Internal Auditor meets with the State Budget Director to ensure that the Director is fully informed regarding enterprise risk and internal control. In addition, the Chief Internal Auditor will meet quarterly with the newly formed Risk Committee for the 2016 fiscal year. OIAS has a process to identify internal control weaknesses and to assess the principal departments’ plans for remediation. OIAS uses this information in the annual planning process and when conducting individual engagements. Finally, a primary purpose for communicating our engagement results is to keep our various stakeholders informed about new problems and deficiencies.

7. Conduct other audit and investigative activities as assigned by the State Budget

Director

Assessment: The engagement plan includes the audits and investigative activities identified by our departmental stakeholders as well as the State Budget Director.



8. Prepare biennial reports for principal departments regarding their ICE results

Assessment: OIAS meets this statutory requirement in odd numbered years. The next reporting date is May 1, 2017, and related OIAS efforts will be included in the 2017 Plan. OIAS’s 2016 Plan includes several engagements to improve the biennial reporting process. The Plan also includes Strategic and Operational Excellence and several process review engagements designed to make further improvements to internal control documentation associated with departments’ evaluation activities.

9. Report immediately to the State Budget Director and the principal department head

if the internal auditor becomes aware of particularly serious or flagrant problems, abuses, or deficiencies relating to the administration of programs or operations of a principal department or agencies within the department

Assessment: As a normal course of business, departments periodically inform OIAS of potentially serious or flagrant problems, abuses, or deficiencies. OIAS engagements include steps designed to identify these types of serious issues. OIAS practice is always to conduct necessary investigative and inspection procedures pursuant to professional standards to substantiate that issues have or have not occurred, at which point our standard protocol is to report immediately to the State Budget Director and the principal department head.

10. Further, the statute requires internal auditors to adhere to appropriate professional

and auditing standards in carrying out any financial or program audits or investigations

Assessment: OIAS adheres to the International Standards for Professional Practice of Internal Auditing (IIA Standards). Those Standards require that the Chief Internal Auditor develop and maintain a Quality Assurance and Improvement Program (QAIP) that covers all aspects of the internal audit activity. Standards further require that the QAIP must include both internal and external assessments. OIAS meets the internal assessment by performing ongoing monitoring of its internal audit activities and by performing periodic self-assessments. OIAS meets the external assessment by performing an internal assessment with independent external validation every five years. OIAS’s most recent review was performed by Experis Finance, who conducted an independent validation of the OIAS quality self-assessment. On September 27, 2012, Experis Finance concluded and issued an opinion that overall OIAS generally conforms, which is the highest rating. Our next external assessment is planned for 2017.



Governance and Risk Management Approach Effective governance is based on establishing a framework that supports the activity of the State in achieving its objectives. A robust framework defines the limits of acceptable behavior without limiting innovation. The State’s governance structure includes the newly formed Enterprise Risk and Control Committee and its corresponding Lines of Defense.

Enterprise Risk and Control Committee On September 21, 2015, State Budget Director John Roberts and Chief Internal Auditor Jeff Bankowski recommended to Governor Rick Snyder the creation of an Enterprise Risk and Control Committee for the Executive branch. Based on leading practices and Good Government constructs, the State Budget Director indicated accountability and customer engagement would increase through a more robust and cross-functional discussion with quarterly monitoring from an engaged stakeholder group. The Risk Committee assists the State Budget Director and Chief Internal Auditor in prioritizing limited OIAS resources.

Enterprise Risk and Control Committee Members Chairperson – John Roberts – State Budget Director Committee Members (Representing the Governor’s Executive Groups): • Rich Baird – Governor’s Executive Office • David Behen – Value for Money Government • Nick Lyon – People • Jamie Clover Adams – Quality of Life • Mike Zimmer – Economic Strength and Office of Good Government



Lines of Defense Model Risk assessment and internal audit are integral parts of the governance framework. This framework has three main elements, or lines of defense, all of which combine to provide the Risk Committee, as the Governing Body, with assurance that the State is effectively managing risk as depicted below:

• The first line of defense rests with the department and agency operations and management that perform the day-to-day risk management activity, largely through established processes and project management controls.

• The second line of defense is held by the oversight functions within the State at the

administrative level in such areas as legal, finance, budget, compliance, quality, and information technology. They provide guidance to the business on risk areas where policies and procedures are necessary.

• Internal Audit forms the third line of defense, offering independent oversight and assurance

that the processes in the first two lines of defense are operating effectively.

• Other assurance providers are depicted such as External Audit (OAG) and Federal Regulators. These entities, although separate from the Executive Branch, provide information, assurance and coverage that the State is operating as intended.

Each line of defense provides information to Senior Management and the Governor to help monitor operations and maintain stewardship responsibilities to its citizens. Consistent with leading practices, the work of OIAS should address the gaps in the assurance effort rather than replicating management activity or that of the other providers. At the same time, however, OIAS should provide objective monitoring with regard to the effectiveness of management and their processes.



Plan of Engagements Methodology The OIAS planning methodology considers the three lines of defense of the governance framework and its Internal Audit Methodology to focus on areas of high agency risk and areas of concern while not replicating the assurance provided by others.

Focusing on Risks and Associated Mitigating Actions Is Fundamental in the Formation of the 2016 Risk Assessment and Plan of Engagements

Key Stages in the Approach Benefits • Define engagement parameters • Examine the key strategic drivers of

each agency in order to identify significant risks

• Identify the processes used to manage key risks

• Leverage Strategic and Operational Excellence

• Follow a top-down/risk based review • Allocate resources to the greatest risk • Initial review and monitoring of

current risk mitigation activities • Engagement on assessing controls • Report and follow-up

• Effective and efficient engagement with an emphasis on leading practices

• Coordinates with OAG to ensure maximum reliance and reduction of duplicate effort

• Transparent reporting • Prompt response to emerging issues • Valuable feedback and advice • Assessment of control design/effectiveness • Aligns internal audit efforts with key

processes identified in ICE • Monitoring of compliance with critical

programs and operational excellence policies • Continuous improvement on ideas that can

help manage risk and improve performance



Preparing for the Risk Assessment and Plan of Engagements OIAS performed a preliminary risk assessment on behalf of Senior Leadership of the Executive Branch to develop the 2016 Plan. The risk assessment process involves ongoing interaction with our stakeholders and a formal process to review current documentation. These documents included, but were not limited to the following:

• 2014 State of Michigan Comprehensive Annual Financial Report (SOMCAFR) • 2014 Statewide Single Audit Report and related corrective action plans • 2015 Appropriation Acts • 2015 SIGMA IT revised implementation plan and Project Charter • Documentation for Departments’ 2015 Biennial Report on their Internal Control

Evaluation (ICE) • Michigan’s 10-Point Reinvention Plan • Department strategic plans, program changes, and related scorecard/metrics • DTMB Call for Information Technology (IT) Projects for FY15 • 2015 List of Material Weaknesses and related corrective action plans • State of Michigan RED CARD IT services associated with critical business functions

Subsequent to the review of the aforementioned documentation, OIAS requested feedback on risks and opportunities in each Executive branch department. Cabinet members, department leadership, and other stakeholders provided this feedback. See Appendix A – Department Risk Assessment/Heat Maps for further details.

Consideration of Information Technology Processes The Department of Technology, Management and Budget (DTMB) is the State’s Executive branch IT service provider and serves as the general contractor between the State’s information technology users and private sector IT service providers. DTMB is responsible for establishing and coordinating the technological direction of the State. In doing so, DTMB works with State departments and agencies to ensure a secure and effective operating environment for the State’s Information Technology infrastructure.

DTMB also has primary responsibility for establishing, maintaining, and monitoring internal control over the State’s IT environment (general controls) and supporting processes. However, some aspects of the State’s general controls are not implemented enterprise-wide; instead, they are established and maintained at the department business process-level based on guidance issued by DTMB. As a result, DTMB and departments share responsibility for designing, implementing, and performing business process-level control activities and assessing its control effectiveness.



Departments, as the IT application and data owners, have primary responsibility for designing, implementing, and conducting application specific internal control (ASCs) and assessing its effectiveness.

Historically, OIAS assurance coverage of IT issues involved enterprise-wide evaluations of general control processes (e.g., Web application security, Oracle database administration) and DTMB’s progress at remediation. OIAS completed assessments in 2010 and 2015, and provided overall conclusions for DTMB’s process capability maturity for key theme areas, including IT security program, System access, statewide continuity planning, change control/management, and IT contracting practices. In response to these two assessments, DTMB included in its 2015 “Call for IT Projects” the need to address theme area control remediation as a project. The vision for this project is to embed into DTMB’s management process an ongoing assessment of control effectiveness for the identified theme areas and underlying unresolved material weaknesses.

For the upcoming fiscal year, OIAS engagements associated with IT topics will involve follow-up of previous control issues classified as material weaknesses. Of the 106 material weaknesses considered in this plan development cycle through September 30, 2015, 18 were associated with IT related issues. OIAS classified nearly all of the IT material weaknesses as medium or high-risk based on the defined criteria. These insights highlight both the importance and pervasiveness of IT technology across the enterprise. Due to the importance of IT from a risk and control perspective, OIAS plans to participate on the DTMB Theme Area Control Remediation Project, and as a subject matter expert on controls for the SIGMA IT project. Specifically, OIAS has allocated 2.5 full time resources to the SIGMA project during the 2016 fiscal year.

Red Card The State’s Red Card is a listing of services/applications the State agencies, in conjunction with DTMB, have identified as critical and require significant priority for business resumption procedures. In planning new engagements and follow up of agency remediation efforts, OIAS considered the Red Card’s services/applications in its holistic view of risks.

Office of the Auditor General Collaboration On June 24, 2015, the OIAS and OAG signed a Memorandum of Understanding (MOU) that outlined several planned activities to begin collaboration on assurance efforts and to reduce duplication of effort in accordance with the three lines of defense model. To that end, on October 26, 2015, OIAS leadership met with the Auditor General and Deputy Auditor General to discuss our current risk assessment and planned activities. See Appendix A for heat map assessments that include the OAG’s past and current audit efforts.

Due to its interconnecting roles, OIAS and OAG will continue to collaborate within the limits of their respective organizations’ charters, professional standards, and statutory mandates to minimize



the duplication of effort and to foster an effective working relationship for the benefit of the Executive branch departments, agencies, and the citizens they serve.

Office of Good Government Collaboration Governor Snyder created the Office of Good Government (OGG) during his first term. OGG provides strategic direction and training on programs that include employee engagement, change management, service/process optimization, and performance management. Ultimately, the goal of OGG is to create an efficient, effective, transparent, accountable, and customer-centered State government.

Many of the goals of OGG regarding efficiency and effectiveness are similar to those of OIAS. Thus, both entities have committed to collaborate regarding various initiatives. To further strengthen the linkage, John Roberts, the State Budget Director, and Director Mike Zimmer of Licensing and Regulatory Affairs (LARA), are members of both the Good Government Committee and the Enterprise Risk and Control Committee. During its 2016 Risk Assessment and Plan of Engagements process, OIAS and OGG collaborated, where applicable, to discuss opportunities and gain synergies in its consulting efforts to further support process improvement in the State. See details below for further discussion regarding OIAS’s and OGG’s combined roles in Strategic and Operational Excellence.

OAG Material Weaknesses Evaluation In May 2015, OIAS initiated an analysis and roll up of material internal control weaknesses included in audit reports issued beginning October 1, 2012. A material weakness is defined as a matter that, in the auditor’s judgement, is more severe than a reportable condition and could impair the ability of management to operate a program in an effective and efficient manner and/or could adversely affect the judgement of the interested person concerning the effectiveness and efficiency of the program.

We evaluated the current status of material weaknesses and collaborated with the OAG on plans to conduct follow-up engagements for the purpose of assessing implementation of corrective actions intended to remediate the material weaknesses and to offer consultation for any design deficiencies identified. OIAS classified the material weaknesses as high, medium, or low risk based on consideration of several quantitative and qualitative factors. These assessments are included in Appendix C - Listing of Material Weaknesses. Our Plan includes those material weaknesses we intend to either follow-up and validate remediation results, or to consult on the sufficiency of the planned efforts.

OIAS also included in its initiatives in fiscal year 2016 enhancements to our audit repository process (Teammate) for reconciling material weaknesses with the OAG. These enhancements are intended to enhance the audit planning process and reporting on the status of known material weaknesses.



Look Back Analysis / Project Carryforward Since July 2015, OIAS has concentrated its efforts to finalize all engagement activities for prior years. As of October 30, 2015, only four engagements remain open:

• DEQ – SAW Grant Program Administration • DOC – Service Contract Consult • DHHS – Data Consult • DTMB – Enterprise Architecture

Project Selection and Prioritization Process OIAS’s development of its annual risk-based Plan is a multi-step iterative process. OIAS first identified and conducted a risk assessment of the State’s auditable entities. To ensure selection of highest risk and value-added projects, OIAS mapped each identifiable business component to the department’s critical assessable units identified during the 2015 ICE cycle. In addition, OIAS identified other factors such as departmental scorecard/metrics, major federal programs, significant contracts, information systems, management concerns, and reported material weaknesses associated with each critical assessable unit.

OIAS based the number of projects selected for inclusion in the Plan on factors such as the impact the project may have (the problem or risks it addresses and the likely types of opportunities for improvement that may result); the sensitivity, complexity, and difficulty of the project compared to its likely impact; the amount of audit coverage already being provided by OAG and other department audit functions; OIAS staff qualifications; and available resources. In addition, the Plan includes several entity-wide projects selected for the opportunity to address common high-risk areas across the organization.

OIAS recently participated in a benchmarking review with various third parties including internal audit teams from Blue Cross Blue Shield, Accident Fund, and the State of Ohio. Additionally, OIAS engaged DTMB’s Office of Performance Management in October for a lean review of its audit planning methodology. These efforts are planned into January 2016, and are included in our Plan of Engagements. All of the initiatives discussed are intended to expand OIAS’s capability to move towards higher risk engagements with narrower scope. This effort will allow for quicker turnaround times and enable a timely response to identified issues. However, some projects are inherently complex and require additional time for OIAS to provide quality results and to comply with IIA Standards.

OIAS’s available resources limit the number of projects that can be completed each year. As a result, there may be a number of high-risk areas that are not addressed by the Plan.



Risk Factors OIAS used eight factors to assess the risks associated with the State’s auditable entities. Risk factors were scored based on likelihood of the risk and the impact of the event. Weights were assigned to the various risk factors to calculate a composite risk score and initial heat maps for each auditable entity. The heat maps were further adjusted based on agency leadership feedback and OIAS’s professional judgment. Using this information, OIAS further determined areas to prioritize and provide to the Risk Committee for review.

Risk Factors and Associated Weights

Risk Factor Weight Description Management Concerns 150% Management concerns or other known issues.

Importance of Business Objective to the State's Overall Mission

100% The impact of the auditable activity in relation to the

State's overall mission, goals, and strategic plan.

Control Environment

100%

Measure of program area's overall attitude toward maintaining a sound system of internal control.

Known Material Weaknesses to Be

Followed Up

100% Measure of existing material weaknesses or engagements

that require follow up.

Dollar Amount Supported Through

Activity

70%

Measure of the exposure or loss related to the amount of money supported through the business objective.

• Over $500 million = 5 • $250 million to $500 million = 4 • $100 million to $250 million = 3 • $15 million to $100 million = 2 • $15 million or less = 1

Regulatory / Legal Requirements /

Federal Funding

65%

Measure of exposure, loss or regulatory sanction due to complexity and volume of regulations, penalties for noncompliance, and the amount of federal funding.

Maturity of Business

Process

60%

Measure of various factors including: changing processes; established policies and procedures, adequate resources, program staff training, experienced managers, program performance measurements.

Exposure Risk

50%

Measure of exposure, loss or sensitivity based on the visibility of business objective by the legislature, special interest groups or public interest.



Planned Engagements The following schedule represents planned engagement areas based on an evaluation of agency audit priorities from heat maps, discussions with agency management, and available resources.

OIAS, in consultation with the Risk Committee, may revise projects and schedules of the Plan.

The OIAS level of effort included in the Plan is generally categorized as follows: • Small – less than 300 hours • Medium – between 300 and 500 hours • Large – between 500 and 800 hours

The planned areas for fiscal year 2016 include:

#

Department

Engagement Area Level of Effort

Type of Engagement

Description of Engagement Scope

Value for Money Government and Treasury

1 Treasury Office of Financial Services Small Consulting Develop scope for SOC1 and SOC2 reports of Chase bank activities.

2

Treasury

Tax Processing and Office of Financial Services

Medium

Consulting

Develop/evaluate process for managing City of Detroit income tax processing. Will be used by City's external auditors.

3 Treasury Collections Small Follow Up Accounts Receivable material weakness.

4

Treasury

Collections

Large

Consulting

Process review in coordination with LEAN activities, and consult on several OAG material weaknesses.

5 Treasury Local Government Small Follow Up Performance process review.

6 Treasury Local Government Small Follow Up OAG audit of Principle Residence Exemption material finding.

7 Treasury Critical Assessable Unit (CAU) to be determined

Medium Consulting Process review.

8 Treasury Local Government Medium Consulting Essential Services Assessment process review.

9 Treasury Lottery - iLottery Medium Assurance Review application controls.

10 CSC Office of Compliance Medium Follow Up Monitoring and CQI Process Review.

11

DTMB-MB

Office of Support Services

Medium

Assurance

Assist in contract oversight with VTS contracts, primarily on-site visit with Wheels, Inc. to review contract pricing documentation.

12 DTMB-MB Office of Retirement Services Small Consulting Year-end closing review, in support of SOM CAFR.



# Department Engagement Area

Level of Effort

Type of Engagement


Value for Money Government and Treasury

13

DTMB-MB

Office of Procurement

Small

Consulting

Participate on Purchasing process improvements and monitoring activities and consult on the development of the Enterprise Procurement Policy Manual. Includes three OAG material findings.

14 DTMB-MB SBO - OFM/Statewide Single Small Consulting Review vendor file controls designed to prevent unauthorized changes.

15

DTMB-IT

IT Mgmt., IT Tech Infrastructure, IT Apps, Cybersecurity

Medium

Consulting

Consult on the IT Theme Area Project. This DTMB project is intended to implement an enterprise control and monitoring solution for common IT internal control weaknesses.

16 DTMB-IT IT Mgmt., IT Apps Medium Follow Up Enterprise data warehouse material findings.

17

DTMB-IT

IT Mgmt., IT Apps

Small

Consulting

Propose enhancements to SUITE for the development of IT internal control design/evaluation methodology.

18 DTMB-IT IT Mgmt., IT tech infrastructure, IT apps, Cybersecurity

Small Consulting Enterprise Cybersecurity consulting project.

19

Statewide

ICE

Large

Consulting

Implement voice of customer and changes to the internal control evaluation (ICE) process.

20 Statewide Statewide Medium Assurance Statewide fraud reporting project

21

Statewide

Continuous Monitoring through Data Analysis (CMDA)

Large

Consulting

Consultation on the Enterprise Information Management (EIM) project, monitoring performance of data analytics system, and internal training to OIAS staff on data analytics techniques.

Quality of Life and Economic Strength 22

DNR

Department-wide Grants Management

Large

Consulting

Review design of department-wide infrastructure for administering State/Federal grants, and identify leading practices.

23 DEQ SAW Grant Administration Medium Assurance Assess implementation of SAW grant program, status of grant activity.

24 DEQ Underground Storage Tank Authority Medium Consulting Process mapping and review design of internal control consult.

25 DTED Community Ventures Program Medium Consulting Review outcome information and update data.

26

DTED Michigan Strategic Fund/Michigan Economic Development Corporation - Controls over Federal Compliance

Medium

Consulting

Review design of internal control over federal compliance, and identify leading practices.




Level of Effort

Type of Engagement


Quality of Life and Economic Strength

27

DTED

Unemployment Insurance Agency (UIA) - Unemployment Insurance Benefit Overpayments and Nonmonetary Eligibility Determinations

Large

Follow Up

Four material findings the OAG reported in March 2011.

28

DTED

UIA - Collection of Delinquent Unemployment Taxes and Reimbursements

Large

Follow Up

Two material findings the OAG reported in January 2012.

29

DTED

Michigan Strategic Fund - Internal Control over Financial Reporting

Medium

Consulting

Review design of internal control over financial reporting, and identify leading practices.

30

LARA

Bureau of Professional Licensing - Oversight of Health Professionals

Medium

Follow Up

Three material findings the OAG reported in February 2015.

31

LARA

Bureau of Fire Services and the State Fire Marshall

Large

Follow Up

Six material findings the OAG reported in April 2014.

32 LARA Bureau of Community and Health Systems - Health Facilities Division

Small Follow Up One material finding the OAG reported in March 2014.

33 LARA Bureau of Construction Codes Small Follow Up Review of boiler and elevator inspections.

34

LARA

Bureau of Community and Health Systems - Adult Foster Care and Homes for the Aged

Medium

Follow Up

Two material findings the OAG reported in May 2015.

35 LARA Liquor Control Commission Small Follow Up Review of license issuance.

36 LARA Bureau of Services for Blind Persons Small Follow Up Review of equipment inventory and operators' monthly reports.

37 MDARD Food and Dairy Division Medium Assurance Review implementation of Operational Excellence.

People, Health and Education 38

MDE

Office of Great Start - Child Care Development Fund

Large

Follow Up

Two material findings the OAG reported in July 2013 report.

39 MDE Office of Great Start - Child Care Development Fund

Large Follow Up One material finding the OAG reported in July 2013 report.

40 MDE Office of Great Start - Child Care Development Fund

Medium Consulting Map processes and key controls across multiple departments covered by the program.

41 MDE Administration and Support Services Medium Consulting Financial Review of State Aid and Federal Grant accounting practices.

42 DHHS Field Operations - Office of Child Support

Medium Assurance Child Support Accrual Review

43

DHHS

Michigan Children's Services Agency - Children's Advocacy Center

Medium

Assurance

Review select expenditures from the FY15 Children's Advocacy Center Fund to support accuracy of financial statements.

44

DHHS

Medical Services Administration (MSA) - Medicaid

Medium

Consulting

FY15 Medicaid Accrual-Review of select accruals for accuracy of calculations.




Level of Effort

Type of Engagement


People, Health and Education 45

DHHS

IT and Project Management - Bridges

Large

Follow Up

Evaluation of CAPS and Quarterly Status Update on three material findings the OAG reported in the July 2013 report-Q1 - Q4.

46

DHHS

Medical Services Administration (MSA) - Home Help

Medium

Follow Up

Quarterly Evaluation of CAP and status for one material finding the OAG reported in July 2013 report.

47 DHHS Medical Services Administration (MSA) - Home Help

Large Follow Up One material finding the OAG reported in July 2013 report.

48

DHHS

Aging and Adult Services - Adult Protective Services

Large

Follow Up

Quarterly Status Update on 6 material findings the OAG reported in the July 2013 report - Q1- Q4.

49 DHHS Behavioral Health - Center for Forensic Psychiatry

Medium Follow Up One material finding the OAG reported in July 2013 report.

50

DHHS

Field Operations - Temporary Assistance for Needy Families (TANF)

Large

Consulting

Process mapping - How TANF funding is used and distributed to other MDHHS programs, sub- recipients and other state departments.

51

DHHS

Michigan Children's Services Agency - Business Service Centers

Large

Consulting

Process Mapping-Obtain understanding and map processes and responsibilities related to child welfare programs.

52 DHHS Population Health - Emergency Medical Services

Large Assurance EMS personnel and equipment compliance review.

53 DHHS Michigan Children's Services Agency - Child Care Fund

Small Consulting Special Request Regarding Children's Services Agency.

Public Safety

54 DOC Prisoner Medical Offsite Service Charges

Medium Follow Up Follow up to ensure DOC has adequate billing controls.

55 DOC Application Control Medium Consulting Review application controls.

56 DOC OMS User Profiles Medium Follow Up Application Control Review.

57 DOC IT General Business Process Small Consulting Review IT general business process.

58 DOC Prisoner Time/OMS Development Large Assurance Test manual key controls over time computations.

59 DOC Contract Risk Assessment Small Consulting Assist DOC is setting up a risk based contract monitoring methodology.

60

DOC

Contract Monitoring

Medium

Assurance

Test key controls performed by contract compliance inspectors.

61 DOC Accounts Payable Medium Assurance Test key controls performed by accounts payable staff.

62

MSP

Forensic Science

Small

Follow Up

Forensic Science Application Control Review.




Level of Effort

Type of Engagement


Public Safety 63

MSP

LEAN Gun Registration

Small

Consulting

Participate with LEAN team to add insight regarding key controls over new gun registration process.

64 State Registration Fee Small Follow Up Review corrective action to ensure accurate registration fees for commercial vehicles.

65 State User Controls Medium Consulting Assist DOS with general controls review.

66 DMVA Tuition Assistance Small Assurance Test compliance with statute.

67

DMVA

Veteran Service Organization

Medium

Consulting

Assist MVAA in designing effective monitoring over veteran service organization contracts.

Summary of Planned Engagements by Type and Agency

Department

Type of Engagement

Assurance Consulting

Follow- Up

Grand Total

CSC 1 1 DEQ 1 1 2 DHHS 3 4 5 12 DMVA 1 1 2 DNR 1 1 DOC 3 3 2 8 DTED 3 2 5 DTMB-IT 3 1 4 DTMB-MB 1 3 4 LARA 7 7 MDARD 1 1 MDE 2 2 4 MSP 1 1 2 DOS 1 1 2 Statewide 1 2 3 Treasury 1 5 3 9 Grand Total 12 30 25 67



Strategic and Operational Excellence During August 2015, Contract No. 071B5500121 was executed between the State of Michigan and The McDonnell Company, LLC to implement Operational Excellence with OIAS and the OGG assigned as program managers to the enterprise contract. Subsequently in September 2015, the program was expanded to include PwC and Mass Ingenuity for Strategic Excellence with OGG as the lead program manager with advisory support from OIAS.

Both programs work in tandem with the intent of creating strategic and operational alignment for lasting cultural change in State government. The combined program leverages a “top-down” (strategic excellence) and “bottom-up” (operational excellence) approach to implement the Governor’s vision of excellence for the State.

OIAS plays a critical oversight role in the program and has built detailed assessment into the Plan to incorporate this effort. The intent of the Plan is to be flexible and aligned with Strategic Excellence to focus engagement effort on the core processes of State government that must work well to drive the State’s key outcomes. OIAS will also opine on documentation of core processes and effectiveness of related controls through a review of process measures, targets, and outcomes as defined on the Governor’s Fundamentals and Strategy Maps, which will be completed by February 2016.

Strategic and Operational Excellence Work in Tandem


APPENDIX A - DEPARTMENT HEAT MAPS Organized by Governor’s Executive Grouping

Value for Money Government and Treasury Technology, Management, and Budget Treasury, includes Lottery and Gaming Control Board Civil Service

Economic Strength Talent and Economic Development Licensing and Regulatory Affairs Insurance and Financial Services Transportation*

Quality of Life Michigan Department of Agriculture and Rural Development Environmental Quality Natural Resources

People Health & Human Services Civil Rights

Public Safety Corrections Michigan State Police Military and Veterans Affairs

Other Executive Branch Departments Michigan Department of Education Secretary of State Attorney General

*Department of Transportation is statutorily separate and not audited by OIAS

Note: Reflected on subsequent pages (Pages 25 – 41), program size is characterized by an alphabetic letter to correspond to range of appropriation and/or dollars supported through the activity. For simplicity, the index is included here and intentionally not duplicated on each heat map.

Program Size Over $500 million = A $250 million to $500 million = B $100 million to $250 million = C $15 million to $100 million = D $0 to $15 million = E

Total FY16 Appropriations Total # of Material Weaknesses

Confidential

$1,195,329,600 25 6

25 Draft

Technology, Management and Budget (DTMB)

On September 16, 2015 and October 14, 2015, Chief Deputy Director Brom Stibitz, Deputy Director Phil Jeffery, Financial Services Director Mike Gilliland, and John Juarez, Compliance Officer, met with Jeff Bankowski, and Rick

Lowe of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.

HIGH Frequent

Likely

MEDIUM

Possible

LOW

Unlikely

Rare

Incidental Minor Moderate Major Extreme

#

Risk Universe / Business Components

Program Size

OAG Material Weakness

Recent Audits/Engagements (FY13, FY14, FY15)

OAG Work in Process

OIAS Planned Engagements

Operations

IT Related

OAG

OIAS

1 Cybersecurity and Infrastructure Protection

B

2 IT Applications A

3 IT Technical Infrastructure C 2

4 IT Management C

5 IT External Controls C

6 DTMB Procurement A 3

7 Office of Retirement Services A

8 Statewide Single Audit E 20 3

9

Office of Support Services (includes VTS, Logistics, and Operations)

D

1

1

10 Building Operations D

11 State Budget Office - Other E

12 Design and Construction D

13 Office of the State Employer D

14 Labor Market Information and Strategic Initiatives

D

15 Real Estate D

16 Office of Children's Ombudsman E 1

17 Office of Organization and

Performance Measurement E

IT - Business Process General Controls

IT - Application Control

LOW MEDIUM Impact

HIGH

2 1

4 3 5

6

7

9

17 12 13

14

15

16

11

10 8

Likel

ihoo

d


Confidential

$1,945,052,200 3 3

26 Draft

Treasury On September 22, 2015 the Treasurer and Deputy Treasurers met with Jeff Bankowski, Rick Lowe, and

Stacey Bliesener of OIAS. On September 28, 2015 the Lottery Commissioner met with Sandy Streb and Sherri Washabaugh of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.

HIGH

Frequent

Likely

MEDIUM

Possible

Unlikely

LOW

Rare


#


Program Size


Recent Audits/Engagements (FY13,

FY14, FY15)

OAG Work in Process


Operations

IT Related

OAG

OIAS

1 Collections A 2 3

2 Tax Processing A

3 Investments A

4 Financial Services A

5 Local Government Services A 1

6 Lottery A

7 Office of Privacy and Security E

8 Office of Dept Services C

9 Gaming Control Board D

10 Tax Compliance A

11 Office of Revenue and Tax Analysis A

12 Bureau of State and Authority Finance A

13 Tax Policy D

14 Student Financial Services Bureau D



LOW MEDIUM

Impact

HIGH

1

8 9 6 5

13

3

4

14 11

10

12

2

7

Like

lihoo

d


Civil Service Commission (CSC)

On October 12, 2015, OIAS shared with key leaders at the Civil Service Commission (CSC) our Heat Map and planned engagement description, inviting their review and feedback. Key leaders included in the

correspondence included: Matt Fedorchuk, Chief Deputy Director, Carol Vargovich, Chief Financial Officer, and Mike Winters, Audit Liaison. The only planned engagement involves a follow-up of remediation efforts associated with a prior OIAS audit of the Office of Compliance. CSC representatives did not provide any

feedback necessitating adjustment to our plans.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


LOW MEDIUM

Impact

HIGH

#


Program Size


Recent Audits/Engagements

(FY13, FY14, FY15)

OAG Work in

Process

OIAS Planned

Engagements

Operations

IT Related

OAG

OIAS

1 Business Application Support E

2

HR Statewide Activities (includes Civil Rights, Civil Service, DCH, DOC,

Gaming, DHS, LARA, Lottery, DMVA, Quality of Life, MSP, DTMB, MDOT,

Treasury, and MDE)

C

3 Benefits A

4 Compliance E

5 Disability Management Office E

6 Compensation E

7 Personal Services Review E

IT - Business Process General Controls IT - Application Control


$67,894,100 0 0

6

5 1 2

7

4

3

Like

lihoo

d


Department of Talent and Economic Development (DTED)

On September 1, 2015 Director Steve Arwood and Chief of Staff Greg Tedder of DTED, met with John Roberts, State Budget Director, and Jeff Bankowski and Bryan Weiler of OIAS. We discussed the risk

assessment/ heat map and outcome analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


#


Program Size


Recent (FY13, FY14, FY15)

Audits/Engagements

OAG Work in

Process


Operations

IT Related

OAG

OIAS

1 Unemployment Insurance Agency E 6

2 Talent Investment Agency E

3 MSF/MEDC D 3

4 MSHDA E

IT - Business Process General IT - Application Control

Total FY16 Appropriations $1,153,023,500 Total # of Material Weaknesses 9 0

LOW MEDIUM

Impact

HIGH

1

3

4

2

Likel

ihoo

d


Licensing and Regulatory Affairs (LARA)

On September 30, 2015 Director Mike Zimmer and Deputy Director/Chief Financial Officer Allan Pohl of LARA, met with Jeff Bankowski, Bryan Weiler, and Paul Jacokes of OIAS. We discussed the risk

assessment/ heat map and outcome analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


#


Program Size



(FY13, FY14, FY15)

OAG Work in Process


Operations

IT Related

OAG

OIAS

1 Fire Services D 6

2 Professional Licensing D 4

3 Bureau of Community and Health Systems D 2 1

4 Michigan Agency for Energy and

Public Service Commission D 1

5 Construction Codes D

6 Adjudication (MAHS - MI Admin

Hearing System) D

7 Liquor Control Commission D

8 Worker's Compensation Agency D 9 MIOSHA (incl. Wage and Hour) D

10 Bureau of Services for Blind Persons D 2

11 Bureau of Securities and Corporations D

12 Employment Relations E 13 Finance and Administrative Services D


Total FY16 Appropriations $407,649,000 Total # of Material Weaknesses 15 1

LOW MEDIUM Impact

HIGH

2 1

11 6 4

5

7

3

9

8

10

13

12

Like

lihoo

d


Michigan Department of Insurance and Financial Services (DIFS)

On October 7, 2015 Director Pat McPharlin, Chief Deputy Director Teri Morante, and Chief Financial Officer Penny Wright of DIFS, met with John Roberts, State Budget Director, Jeff Bankowski and Bryan Weiler of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.

HIGH

Frequent

Likely

MEDIUM

Possible

LOW Unlikely

Rare


#


Program Size



(FY13, FY14, FY15)

OAG Work in

Process


Operations

IT Related

OAG

OIAS

1 Offices of Banking and Credit

Unions D

2 Insurance Regulation D

3 Offices of Consumer Services and

Consumer Finances E

4 Executive Direction and Department

Services D



LOW MEDIUM

Impact

HIGH

Like

lihoo

d

4

2

1

3


Michigan Department of Agriculture & Rural Development (MDARD)

On October 8, 2015 Director Jamie Clover Adams, Director of Strategy and Business Performance Ken McFarlane, and Chief Financial Officer David Bruce, of MDARD, met with Bryan Weiler and Carol O'Callaghan

of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


LOW MEDIUM

Impact

HIGH

#


Program Size



(FY13, FY14, FY15)

OAG Work in

Process

OIAS Planned

Engagements

Operations

IT Related

OAG

OIAS

1 Animal Industry Division E

2 Departmentwide, Information and Technology and One Time Basis

E

3 Food & Dairy Division D 2

4 Pesticide Plant Management E

5 Environmental Stewardship Division D

6 Laboratory Division E

7 Agriculture Development E

8 Fair and Expositions E



$86,594,000 2 0

7 5

8

1

3

2

4

6

Like

lihoo

d


Department of Environmental Quality (DEQ)

On October 28, 2015 Director Dan Wyant and Chief Deputy Director Jim Sygo of DEQ, met with Jeff Bankowski, Bryan Weiler, and Carol O'Callaghan of OIAS. We discussed the risk assessment/ heat map

and outcome analysis presented below.

HIGH

Frequent

Likely

MEDIUM

Possible

LOW Unlikely

Rare


LOW MEDIUM

Impact

HIGH

#


Program Size



(FY13, FY14, FY15)

OAG Work in

Process

OIAS Planned

Engagements

Operations

IT Related

OAG

OIAS*

1 Office of Drinking Water &

Municipal Assistance C

2 Office of Waste Management &

Radiological Protection D

3 Water Resources Division D

4 Remediation and Redevolpment

Division C

5 Air Quality D

6 Office of Great Lakes/Great Lakes

Initiative D

7 Office of Oil, Gas, & Minerals E

8 Executive, Administration, and IT D

9 Law Enforcement Division E

10 Office of Environmental Assistance E

IT - Business Process General Controls IT - Application Control * OIAS completed consulting engagements related to subrecipient monitoring, mailroom and cash receipting, and invoicing that involved most of DEQ's risk universe/business components


3

10

1

2

7

6

5

4

9

8

Like

lihoo

d


Department of Natural Resources (DNR)

On September 25, 2015 Finance and Operations Division (FOD) Chief Sharon Schafer and FOD Manager Amy Henderson, met with Bryan Weiler of OIAS. We discussed the risk assessment/ heat

map and outcome analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


#


Program Size



(FY13, FY14, FY15)

OAG Work in

Process

OIAS Planned

Engagements

Operations

IT Related

OAG

OIAS

1 Parks and Recreation D

2 Department-wide Grants

Management D

3 Forest Resources Division &

Minerals Management Section D

4 Fisheries Division D

5 Wildlife Management D

6 Law Enforcement D

7 Finance & Operations Division D

8 Communication & Customer

Services D

9 Executive Operations/Support

Services/Information Technology D



$404,001,200 0 0

LOW MEDIUM

Impact

HIGH

1

3

9 8

2

6

5

4

7

Like

lihoo

d


Department of Health & Human Services (DHHS)

On October 4, 2015 Director Nick Lyon, Deputy Director Tim Becker, Senior Deputy Director of Financial Operations Administration Farah Hanley, and Director of Bureau of Audit, Reimbursement and Quality Assurance Pam Myers of DHHS, met with Jeff Bankowski, Mark Moeller, and Ed Brickner

of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.

HIGH Frequent

Likely

MOD Possible

Unlikely

LOW Rare


LOW MOD

Impact

HIGH

#

Risk Universe / Business

Components

Program Size OAG Material Weakness Recent Audits/Engagements (FY13, FY14, FY15)

OAG Work in Process

OIAS Planned

Engagement s Operations IT Related OAG OIAS Other

(Dept/Fed)

1 Field Operations A 2

2 Michigan Children's Services

Agency A

3 Medical Services Administration A 1

4 IT and Project Management A 3

5 Aging and Adult Services C 6

6 Behavioral Health &

Developmental Disabilities A 1

7 Population Health and Community Services

A 1

8 Central Operations A

9 Policy and Legislative E

10 Component Unit - Early Childhood Investment

D

11 Office of Recipient Rights E 2

12 Inspector General E

13 Legal Affairs Administration E

14 External Relations and

Communications C




1

4 2

3

5

6

7

13

8

9

10

12

11

14

Likel

ihoo

d


Department of Civil Rights (DCR)

On October 2, 2015 Deputy Director Leslee Fritz met with Kathy Warner and Ed Brickner of OIAS. We discussed the risk assessment/

heat map and outcome analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


#


Program Size



OAG Work in

Process


Operations

IT Related

OAG

OIAS

1 Enforcements/Complaints Division D



LOW MEDIUM

Impact

HIGH

Like

lihoo

d

1


Department of Corrections (DOC)

On September 15, 2015 Director Heidi Washington and Deputy Director Jeri-Ann Sherry, met with Jeff Bankowski and Connie MacKenzie of OIAS. We discussed the risk assessment/ heat map and outcome

analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


#

Risk Universe/Business Component

Program Size

OAG Material Findings

Recent (FY13, FY14, FY15)

Audits/Engagements

OAG Work in

Process


Operations

IT Related

OAG

OIAS

1 Prisons A

2 Prisoner Health Care, Food,

Transportation B

3 Financial, budget, and IT D

4 Offender Programming/Re-entry C

5 Time Comp/Parole/Discharge E

6 Parole and Probation Supervision C

7 Pre-sentence Investigations D




$1,962,226,000 0 0

LOW MEDIUM

Impact

HIGH

1 6

5

7

3

Like

lihoo

d 2

4


Michigan State Police (MSP)

On September 3, 2015 Director Kristie Etue, Chief Deputy Director Shawn Sible, Internal Control Officer Sherri Irwin, and Internal Control Coordinator Jacqueline Reese of MSP, met with State Budget Director John Robers, and Jeff Bankowski and Connie MacKenzie of OIAS.

We discussed the risk assessment/ heat map and outcome analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


#

Risk Unit / Business Components

Program Size



OAG Work in Process

OIAS Planned

Engagements Operations

IT Related

OAG

OIAS

Federal

1 Forensic Labs & Biometrics D

2 Training, MCOLES, CJIC D

3

Field Services (posts, uniform services, criminal investigations)

B

4

Specialized Services (commercial vehicle enf, special ops, EMHSD,

OHSP)

C

1

5

Support Services (fleet leasing, OJ

grants, ATPA, 911, secondary roads, administrative, technology)

D

1



LOW MEDIUM

Impact

HIGH

1 2

5 4 3

Like

lihoo

d


Department of Military and Veterans Affairs (DMVA)

On September 25, 2015 Adjutant General Vadnais and Senior Deputy Director Russell Gullett of DMVA met with Connie MacKenzie and Randy Shaffer of OIAS. We discussed the risk assessment/ heat map

and outcome analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


#

Risk Universe / Business Objective

Program Size



OAG Work in Process


Operations

IT Related

OAG

OIAS

Federal

1 Veteran Programs D 4

2 Military Related D 4

3 Administration and IT E



LOW MEDIUM

Impact

HIGH

1

3

2

Likel

ihoo

d


Michigan Department of Education (MDE)

On September 18, 2015 Deputy Superintendent Kyle Guerrant and Financial Officer Jane Schultz of MDE, met with Kathy Warner and April Karns of OIAS. We discussed the risk assessment/ heat map and

outcome analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


LOW MEDIUM

Impact

HIGH

#


Program Size



(FY13, FY14, FY15)

OAG Work in

Process


Operations

IT Related

OAG

OIAS

1 Office of Great Start A 7

2 Education Services A

3 School Aid/Finance A

4 Accountability Services D

5 Administrative & Support Services A 3



Note: Governor Snyder’s Executive Order in March 2015 moved the School Reform Office to DTMB (which is included in Education Services above); OIAS will address these risks and ensure applicable ICE documentation will be reflected in DTMB’s upcoming ICE cycle

1

4 2

5 3

Likel

ihoo

d


Secretary of State (DOS)

On September 21, 2015 Deputy Director Rose Jarios and audit liaison Steve Stier of DOS met with Connie MacKenzie and Daphne Hobson of OIAS. We discussed the risk assessment/ heat map and

outcome analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


#

Risk Universe/Business Components

Program Size



(FY13, FY14, FY15)

OAG Work in

Process


Operations

IT Related

OAG

OIAS

1 Driver/Vehicle Systems C 1

2 Elections E

3 Department Services Administration D

4 Regulatory D

5 Customer Service (Records

Maintenance/Info Center, Great Seal, UCC)

E



$225,256,700 0 1

Impact

1 3

4 2

5

Like

lihoo

d


Department of Attorney General (AG)

On October 19, 2015, Connie MacKenzie of OIAS emailed AG audit liaison James Selleck to confirm their earlier phone discussion regarding the risk assessment/heat map and outcome analysis presented below.

Frequent

HIGH

Likely

MEDIUM Possible

Unlikely

LOW

Rare


LOW

MEDIUM

Impact

HIGH

#

Risk Universe/Business Components

Program Size



(FY13, FY14, FY15)

OAG Work in Process


Operations

IT Related

OAG

OIAS

1 Legal and Investigative Services D

2 Financial, budget, and IT E



Like

lihoo

d

2 1


APPENDIX B – AGENCY FISCAL YEAR 2016 APPROPRATIONS VS. BUDGETED AUDIT HOURS

Agency Name Appropriations All

Funds FY 16 % of Total

% of In- Scope

Estimated Audit Hours

% Hours of Budget

1 Agriculture & Rural Development $ 86,594,000 0.16% 0.18% 400 1.47% 2 Attorney General 92,107,600 0.17% 0.19% - 0.00% 3 Civil Rights 16,128,700 0.03% 0.03% - 0.00% 4 Civil Service 67,894,100 0.12% 0.14% 300 1.10% 5 Corrections 1,962,226,000 3.60% 4.07% 2,750 10.08% 6 Education 14,202,205,500 26.04% 29.49% 2,000 7.33% 7 Environmental Quality 486,909,300 0.89% 1.01% 800 2.93% 8 Health & Human Services 25,069,637,100 45.97% 52.05% 6,040 22.13% 9 Insurance and Financial Services 65,057,700 0.12% 0.14% - 0.00%

10 Licensing and Regulatory Affairs 407,649,000 0.75% 0.85% 2,500 9.16% 11 Military and Veterans Affairs 166,953,700 0.31% 0.35% 500 1.83% 12 Natural Resources 404,001,200 0.74% 0.84% 700 2.57% 13 Secretary of State 225,256,700 0.41% 0.47% 400 1.47% 14 State Police 620,837,400 1.14% 1.29% 350 1.28% 15 Technology, Management and Budget 1,195,329,600 2.19% 2.48% 4,700 17.22% 16 Talent and Economic Development 1,153,023,500 2.11% 2.39% 2,700 9.89% 17 Treasury 1,945,052,200 3.57% 4.04% 3,150 11.54%

Total In-scope $ 48,166,863,300 88.33% 100.00% 27,290 100.00% Total Audit Plan - Budgeted Hours 27,290 *

Remaining Appropriations Out-of-Scope

Agency Name

Appropriations All Funds FY 16

% of Total

% Out-of- Scope

Estimated Audit Hours

% Hours of Budget

18 Executive Office $ 5,531,100 0.01% 0.1% N/A N/A 19 Community Colleges 387,825,600 0.71% 6.1% N/A N/A 20 State Universities/Financial Aid 1,534,724,400 2.81% 24.1% N/A N/A 21 Judiciary 284,851,400 0.52% 4.5% N/A N/A 22 Legislature 159,304,800 0.29% 2.5% N/A N/A 23 Transportation 3,896,201,400 7.15% 61.2% N/A N/A 24 Budget Stabilization Fund 95,000,000 0.17% 1.5% N/A N/A

Total Out-of-Scope $ 6,363,438,700 11.67% 100.00% N/A N/A

Agency Name Appropriations All

Funds FY 16 % of Total

Total Appropriations $ 54,530,302,000 100.00%

* Total audit plan hours of 27,290 is part of total engagement and oversight activities hours of 38,556 on page 5.


APPENDIX C – LISTING OF OAG MATERIAL WEAKNESSES AS OF SEPTEMBER 30, 2015

Department

Audit Report Date

Finding Title

Recommendation\Condition

N-New R-Repeat

OIAS Assessed Level of Risk

DTMB

03/27/15 Formal Training Program could Improve DBA's Database Management

- DTMB did not establish a formal training program or take other steps to ensure that all DBAs managing the State's Oracle databases receive sufficient training.

N

High Risk

DTMB

01/22/15

Security Configuration Enforcement

- DTMB did not enforce security configuration profiles within the State's MDM System.

N

High Risk

DTMB

08/19/14

Interface Controls

- DTMB, in conjunction with State agencies, had not fully established effective interface controls over the Enterprise Data Warehouse.

N

High Risk

DTMB

06/30/15

Statewide Single Audit - The OAG has noted 23 material weaknesses in the Statewide Single Audit.

These weaknesses are managed jointly with OFM and the Departments. OAG will be following up on these as part of the next Statewide Single Audit.

Both

High Risk

DTMB

09/08/15

Procurement Card Program

- DTMB did not ensure that departments provide timely responses to DTMB's quarterly procurement card compliance and transaction reports.

N

Medium Risk

DTMB

12/11/14

Segregation of Duties

- Surplus did not maintain sufficient segregation of duties over the collection and recording of revenue.

N

Low Risk

DTMB

03/27/15

More Comprehensive Security Configurations Vital to Protect Databases

- DTMB did not fully establish and implement effective security configurations for the State's Oracle databases.

N

Low Risk

DTMB

12/11/14

Lack of Documentation for Disposition of Surplus Items

- State Surplus did not maintain sufficient records to accurately account for the disposition of surplus items received from State agencies.

N

Low Risk

DTMB

01/25/13

Access to DHS's Computer Networks

- OCO in conjunction with DHS, did not obtain access to DHS's computer networks relating to children's protective services, foster care, adoption services, and the juvenile justice system.

N

Low Risk

DTMB Total Material Weaknesses: 31

Treasury

03/07/14 Write-Off of Uncollectible Delinquent Tax Assessments in STAR

- Treasury did not accurately and completely write off uncollectible delinquent tax assessments in STAR.

N

High Risk

Treasury

07/20/15

Collections - System programming should be improved to accurately identify delinquent SUW assessment balances

- Treasury did not ensure that the automated system for managing SUW tax

returns and payment information is programmed to accurately identify delinquent assessment balances.

N

High Risk

Treasury

07/20/15

Collections - Comprehensive security are vital to protecting the MARCS application and database

- Treasury did not fully establish and implement effective security configurations

for the MARCS application and database.

N

High Risk

Treasury

07/20/15

Collections - More timely pursuit of delinquent debts is necessary

- Treasury did not timely pursue delinquent debts.

N

Medium Risk

Treasury

07/20/15

Collections - Improved UBP management and oversight is needed to identify businesses owing taxes

- Treasury did not provide sufficient program management and oversight of the UBP to ensure the identification and registration of businesses owing delinquent taxes.

N

Medium Risk

Treasury 12/03/14 Use of Restricted Funds - Treasury did not properly charge expenditures to the Principal Residence

Exemption Fund. N Medium Risk

Treasury Total Material Weaknesses: 6

DTED 01/20/12 Collection Efforts for Delinquent SUTA Taxes

- UIA's CU and TEU initiate sufficient and timely efforts to collect delinquent SUTA taxes from contributing employers.

N High Risk

DTED

01/20/12

UIA - Real Property Liens

- CU determine if delinquent contributing employers own real property before CU files real property liens against the employers. - CU establish controls to verify that county register of deeds offices promptly

record UIA's liens and lien discharges. - CU documents the lien recording and discharge information in UIA's records.

N

High Risk

DTED

01/20/12

UIA - Use of Information

- UIA use available data and data analysis resources to proactively identify and investigate employers potentially involved in : SUTA dumping, misclassifying some or all of their employees as independent contractors, in bankruptcy, or not registering with UIA.

N

High Risk

DTED

01/20/12

UIA - SUTA Tax Account Actio

- UIA's Tax Office timely initiate actions affecting contributing employers' SUTA tax accounts. - UIA's Tax Office ensure that UIA's master employer files contain up-to-date

information.

N

High Risk


APPENDIX C – Continued

DTED 03/22/11 UIA - Classification of Claimants' Misrepresentations

- UIA improve controls to help ensure that it correctly classifies claimants' intentional misrepresentations or concealment of material facts as fraud.

N High Risk

DTED

03/22/11 UIA Claimant Wage and UI Benefit Payment Cross Match Process

- BPC establish effective controls to ensure that claimant wage and UI benefit payment cross match process consistently detects overpayments to claimants. - BPC recover overpayments and associated penalties related to claimants who

received UI benefits for which they were ineligible.

N

High Risk

DTED 01/23/13 MEDC - Overall Compliance Monitoring Process

- MEDC adequately monitor Renaissance Zones' compliance with the requirement of their development agreements.

N Low Risk

DTED 01/23/13 MEDC - Renaissance Zone Program Evaluation

- MEDC establish a comprehensive process to evaluate the effectiveness of the Renaissance Zone Program.

N Low Risk

DTED 03/26/15 MSF - Controls Over Financial Reporting

- MSF improve its internal control to ensure that it properly records and reports MSF financial activity in accordance with GAAP.

N Low Risk

DTED Total Material Weaknesses: 9

LARA 02/20/15 Completeness of Investigations - HPID consistently conduct complete investigations of Public Health Code

violations filed against health professionals. N High Risk

LARA 02/20/15 Monitoring of HPRP Contractor

- HPID effectively monitor the HPRP contractor's performance. N High Risk

LARA 02/20/15 Completeness and Accuracy of MAPS Data

- HPID develop additional processes to ensure that it has complete/accurate data in MAPS for all required controlled substances dispensed.

N High Risk

LARA

04/10/14

Bureau of Fire Services - Place of Public Assemblage

- Fire Services Bureau ensure that places of public assemblage obtain certification of maximum capacity and compliance with the Fire Prevention Code prior to establishment or operation. - Fire Services Bureau ensure that places of public assemblage receive annual

safety inspections or seek amendatory legislation regarding the inspection of places of public assemblage.

R

High Risk

LARA

03/13/14 Licensing of Substance Abuse Treatment Programs (Two parts)

- HFD conduct statutorily required State inspections of substance abuse treatment programs prior to renewing their licenses. - HFD ensure that its data systems contain accurate information for substance

abuse treatment programs.

N

High Risk

LARA

05/19/15

Improved reporting of allegations to APS needed.

- LARA notify APS of complaints alleging abuse, neglect, and or/exploitation of facility and/or home residents to help DHHS ensure that it takes the appropriate actions.

N

Medium Risk

LARA

05/19/15

Improved inspection documentation needed.

- LARA sufficiently document on-site licensing inspection review procedures and conclusions to assist DHHS with ensuring proper oversight of facility and home licenses.

N

Medium Risk

LARA

04/10/14

Bureau of Fire Services - Tank Inspections

- LARA conduct timely storage tank inspections and reinspections. - LARA maintain sufficient documentation supporting its completion

inspections. - LARA attempt to obtain missing facility owner contact information.

N

Medium Risk

LARA 11/27/12 MCB - Equipment Inventory - MCB properly account for all equipment items at BEP vending facilities

located throughout the State. N Medium Risk

LARA 11/27/12 Operators' Monthly Reports - MCB effectively validate BEP operators' monthly VFRs. N Medium Risk

LARA 02/22/13 Barbershop and Cosmetology Shop Inspections

- BCS perform all required inspections for barbershops and cosmetology shops or request amendatory legislation.

N Low Risk

LARA

04/10/14

Bureau of Fire Services - Efforts to Evaluate Effectiveness

- Bureau of Fire Services establish a comprehensive process to assess the effectiveness of its Fire Service operations.

N

Low Risk

LARA

04/10/14

Bureau of Fire Services - Monitoring of Training Activities

- Bureau of Fire Services monitor State-funded Fire training activities. - And obtain and review course examinations prior to recording passing grades

on student examinations.

N

Low Risk

LARA 04/10/14 Bureau of Fire Services - Statutorily Required Reporting

- Bureau of Fire Services fulfill all statutory reporting requirements. N Low Risk

LARA

04/10/14

Bureau of Fire Services - Training Conflicts of Interest

- Bureau of Fire Services improve its efforts to preclude conflicts of interest among FFTC members, training instructors, training coordinators, county training committee chairpersons, and regional supervisors involved in the firefighter training process.

N

Low Risk

LARA 06/25/14 Performance Monitoring - MPSC establish a comprehensive process to evaluate and improve the

effectiveness of its operations. N Low Risk

LARA Total Material Weaknesses: 16

MDARD

05/30/13

Food Establishment Inspections

- FDD conduct routine and follow-up inspections of food establishments in accordance with the Michigan Food Law of 2000. - FDD maintain inspection records for temporary food establishments in

accordance with MDARD's records retention and disposal schedule.

N

High Risk

MDARD

05/30/13

Dairy Inspections

- FDD conduct routine inspections and schedule reinspections of dairy facilities, trucks, and haulers and samplers according to law or guidelines. - FDD retain documentation of its approval of remodeling or equipment

charges for dairy processing plants.

N

High Risk

MDARD Total Material Weaknesses: 2



DHHS

06/17/14

Provider Service Log or Invoice Documentation

- DHHS Medicaid Home Help - timely obtain sufficient documentation to ensure providers have delivered the services paid for through a preauthorized payment process.

N

High Risk

DHHS 05/31/13 Interface Processing Controls - DHHS and DTMB fully establish effective processing controls over Bridges

interfaces. N High Risk

DHHS 07/09/14 Adult Protective Services -Client Service Plans

- APS caseworkers consistently complete APS client service plans as required. N High Risk

DHHS

07/09/14

Adult Protective Services - Evaluation of APS Effectiveness

- Fully develop and implement a process to evaluate the effectiveness of APS intervention services.

N

High Risk

DHHS

07/09/14

Adult Protective Services - Review of Closed Investigation Cases

- APS supervisors consistently review closed APS investigation cases, as required. - Ensure that APS supervisors conduct reviews of closed APS investigation cases

that effectively detect unaddressed allegations, incomplete APS client service plans, and missed monthly face-to-face contacts with APS clients.

N

High Risk

DHHS 07/09/14 Adult Protective Services - Monthly Face-to-Face Contacts

- APS caseworkers conduct monthly face-to-face contacts with APS clients with open APS investigations, as required.

N High Risk

DHHS 07/09/14 Adult Protective Services - Investigation of Allegations

- DHHS investigate all allegations identified in referrals assigned for an APS investigation.

N High Risk

DHHS

07/09/14

Adult Protective Services - Investigation Standards of Promptness

- DHHS county/district offices begin and conduct APS investigations in accordance with standards of promptness established by the Michigan Compiled Laws and DHHS policies.

N

High Risk

DHHS

01/22/14

File Share Server Security and Access Controls

- DCH, in conjunction with DTMB, fully establish effective security and access controls over the file share servers that contain the State's electronic birth and death records.

N

Medium Risk

DHHS

06/17/14

ASW Contacts With Clients and Providers

- DHS and DHC timely obtain sufficient documentation to ensure that Medicaid Home Help program providers have delivered the services paid for through a preauthorized payment process.

N

Medium Risk

DHHS 05/31/13 Bridges Change Controls - DTMB, in conjunction with DHS, comply with SUITE, contract provisions,

and change control best practices. N Medium Risk

DHHS 05/31/13 ClearCase and ClearQuest Access

- DTMB establish effective access controls over the Bridges version controls tool, ClearCase, and the Bridges workflow tool, ClearQuest.

N Medium Risk

DHHS 01/29/14 Patient Observation - Center for Forensic Psychiatry ensure that its staff more effectively observe

patients. N Low Risk

DHHS 07/31/13 Recovery of Medicaid Costs - HILS attempt to recover and timely recover Medicaid pharmaceutical costs

that are the potential liability of Medicare. N Low Risk

DHHS

08/08/14

Timeliness of Complaint Resolution

- ORR initiate investigations immediately upon receipt of complaints involving alleged abuse or neglect. - ORR timely complete interventions and investigations.

N

Low Risk

DHHS

08/08/14

Review of Recipient Deaths

- ORR perform preliminary reviews of all patient deaths that State psychiatric hospitals report to ORR. - ORR maintain sufficient documentation to support that ORR performed

preliminary reviews of all patient deaths.

N

Low Risk

DHHS Total Material Weaknesses: 16

MSP

06/25/14

Intrastate Authority Registration

- MPSC should timely process motor carriers' applications to operate in Michigan. - MPSC should seek amendatory legislation to incorporate available

technological practices.

N

Low Risk

MSP

06/06/14

Unobligated Funds

- MCOLES should implement a control to ensure that it identifies all unobligated MJTF funds eligible for competitive grant awards on an annual basis.

N

Low Risk

MSP Total Material Weaknesses: 2

DMVA

04/30/13 Controls Over Food, Maintenance Supplies, and Medical Supplies

- GRHV should implement controls over its food, maintenance supplies, and medical supplies inventories.

N

Medium Risk

DMVA 04/30/13 Controls Over Pharmaceutical Inventory

- GRHV should fully establish controls over its pharmaceutical inventory. N Medium Risk

DMVA 05/14/15 Lack of required training for MYCA staff.

- MYCA should provide the required training to its staff. N Low Risk

DMVA 05/14/15 Safeguarding and accounting for cash received needed.

- MYCA should safeguard and properly account for cash received from cadets' families and various fund-raising activities.

N Low Risk

DMVA 12/20/13 VSA Performance Standards - MVAA should issue performance standards to each VSO that receives State

grant funds. N Low Risk

DMVA 12/20/13 Monitoring of VSA Performance

- MVAA should effectively monitor the performance of the VSOs that receive State grant funds.

N Low Risk

DMVA 05/14/15 MYCA not effectively staffed. - MYCA should comply with the cooperative agreement by providing proper

staffing levels and effectively overseeing staff. N Low Risk



DMVA

05/14/15

Comprehensive evaluation of program effectiveness needed.

- MYCA should establish a comprehensive process to monitor and evaluate the effectiveness of its operations.

N

Low Risk

DMVA Total Material Weaknesses: 8

MDE

07/17/13

CCDF - Central Registry Records Check Processes

- MDE conduct periodic tests of its Central Registry records check processes to ensure effectively identify individuals with substantiated histories as perpetrators of child abuse and/or neglect and prevent from providing child care services. - MDE include inactive unlicensed child care providers in its Central Registry

records check processes.

N

High Risk

MDE

07/17/13

CCDF - Terminable Crimes and Codes List

- MDE ensure that the terminable crimes and codes list is complete and includes the crime description and conviction coding information necessary to identify unsuitable unlicensed providers.

N

High Risk

MDE 07/17/13 CCDF - Criminal History Checks at Enrollment

- MDE strengthen its ICHAT records check process N High Risk

MDE

07/17/13

CCDF - Monthly Criminal History Checks

- MDE ensure that its monthly ICHAT records check process works effectively to detect active unlicensed providers with terminable convictions in ICHAT records.

N

High Risk

MDE

07/17/13

CCDF - Suitability of Adult Household Members of Unlicensed Providers and Family and Group Child Care Home Provider

- MDE and BCAL implement controls to ensure that criminal background and Central Registry check processes effectively identify and terminate unlicensed providers and family and group home providers with adult household members that have criminal convictions of terminable crimes or were substantiated as perpetrators of child abuse and/or neglect. - MDE utilize internal and publicly available information to help identify

unreported adult household members of unlicensed providers who care for children in their own homes.

R

High Risk

MDE 03/14/14 Change Control Process - MDE and DTMB continue to develop a comprehensive change control

process for MEGS+ and FNS-FRS. R Low Risk

MDE

03/14/14

Database Security

- DTMB and MDE monitor privileged user activity and automated audit logs of high-risk events for the SAMS, MEGS+, CMS, and FNS-FRS databases.

N

Low Risk

MDE

03/14/14

Security Program and Access Controls

- MDE and DTMB continue to fully establish a comprehensive information systems security program and effective access controls over MDE information systems.

R

Low Risk

MDE

11/15/13

Early On - IFSP Development and Review

- MDE implement measures to ensure that ISDs develop and review IFSPs for children and their families qualifying for Early On-only services in accordance with federal regulations.

N

Low Risk

MDE

11/15/13

Early On - EI Services Available for Delivery

- MDE implement measures to ensure that ISDs comply with federal regulations by providing Early On-only children access to a comprehensive selection of EI services delivered by qualified personnel.

N

Low Risk

MDE Total Material Weaknesses: 10

DOS 01/16/15 Motor Vehicle - GVW Registration Fees

- DOS did not always accurately prorate GVW registration fees. N High Risk

DOS Total Material Weaknesses: 1

MDOT

02/16/15 Lease and Refurbishment of Commuter Rail Cab and Coach Cars

- The OAG recommended that the Office of Rail effectively and efficiently oversee the lease and refurbishment of cab and coach cars designated for two commuter rail projects.

N

N/A

MDOT

02/20/15

Monitoring of Road and Bridge Warranties

- The OAG recommended that MDOT ensure that staff inspect or timely inspect warrantied road and bridge construction projects. - The OAG also recommended that MDOT maintain documentation to

support initial acceptance of warrantied projects, interim and final inspections, and notifications to the contractor that the warranty period was complete.

N

N/A

MDOT 06/06/14 Program Outcome Assessments - The OAG recommended that OED comprehensively assess the effectiveness

of all programs funded by TEDF and federal grants. N N/A

MDOT

02/02/15

Statewide Warranty Administration Database (SWAD)

- The OAG recommended that MDOT ensure the completeness and accuracy of the information recorded in SWAD.

N

N/A

MDOT

02/02/15

Timeliness of Corrective Action Completion

- The OAG recommended that MDOT ensure that contractors complete corrective action and complete it timely for warrantied projects identified as needing repairs.

N

N/A

* MDOT Total Material Weaknesses: 5

Overall Total Material Weaknesses: 106

*MDOT’s internal audit is statutorily separate from OIAS.

michigan statewide risk assessment

Documents

internal audit function

internal control

enterprise risk

risk factors

risk management approach

reinvention plan

appendix appendix

draft vision