Professional Documents
Culture Documents
Mission
To enhance and protect organizational value by
providing Executive branch departments and agencies
of the State of Michigan with risk-based, objective and
reliable assurance, advice, and insight
Leadership
Courage
Measures
Duty
Enthusiasm
Excellence
Focus
Integrity
Accountability
Vision
Teamwork
Collaboration
Results
Loyalty
Camaraderie
DRAFT 2016 Risk Assessment
and Plan of Engagements
State of Michigan
October 1, 2015 through
September 30, 2016
Executive Summary
Introduction
2016 Fiscal Year Appropriation for Office of Internal Audit Services (OIAS)
Plan of Engagements
Mission, Vision, and Core Principles of OIAS
Mission
Vision
Core Principles
Definition of Internal Auditing
Purpose
Statutory Mandates
Governance and Risk Management Approach
Enterprise Risk and Control Committee
Lines of Defense Model
Plan of Engagements Methodology
Preparing for the Risk Assessment and Plan of Engagements
Consideration of Information Technology Processes
Red Card
Office of the Auditor General (OAG) Collaboration
Office of Good Government (OGG) Collaboration
OAG Material Weakness Evaluation
Look Back Analysis/Project Carryforward
Project Selection and Prioritization Process
Risk Factors
Planned Engagements
Strategic and Operational Excellence
Appendix
Appendix A Department Risk Assessment/Heat Maps
Appendix B Agency FY 16 Appropriations vs. Budgeted Audit Hours
Appendix C Listing of OAG Material Weaknesses as of September 30, 2015
Confidential
3
4
4
5
6
6
6
6
7
7
7
10
10
11
12
13
13
14
14
15
15
16
16
17
18
23
24
42
43
Draft
Executive Summary
The Management and Budget Act of 1984 required each principal department within the Executive
branch to appoint its own internal auditor. Executive Order (EO) No. 2007-31, effective October 1,
2007, essentially consolidated the internal audit function and established a centralized Office of
Internal Audit Services (OIAS) within the State Budget Office (SBO), and transferred the authority,
responsibilities, duties, functions, and resourcing for internal audit services to the State Budget
Director.
Since the implementation of the EO in 2007, OIAS has been successful in the creation of a
centralized internal audit approach and its supporting role in statutory compliance with Michigan
Compiled Laws Section 18.1485, as amended by Section 18.46. This law requires each principal
department to establish, maintain, and evaluate the sufficiency of its internal control and issue a
biennial report to the Governor. The law also requires an independent review by OIAS on the
overall adequacy of the departments evaluation and reporting processes. This approach, while not
exact, has similar overall themes and characteristics to the U.S. federal law enacted by Congress on
July 30, 2002 commonly known as the Sarbanes-Oxley Act.
On April 1, 2015, State Budget Director John Roberts and Chief Internal Auditor Jeff Bankowski
presented a draft vision and reinvention plan to Governor Rick Snyder and Senior Advisor and
Transformation Manager Rich Baird. Key components of the reinvention plan included a topdown and bottom-up review of the existing internal audit risk methodology, a framework for
enhanced collaboration with the Office of Auditor General (OAG) to resolve recurring material
weaknesses and reduce duplication of effort, and the creation of an oversight risk committee. The
reinvention plan will continue to emphasize traditional internal audit assurance and consulting to the
principal departments and agencies, which will include areas such as performance and program
assessment, operational excellence, scorecards/metrics, Good Government initiative support, and
staff augmentation/risk assessment of the Statewide Integrated Governmental Management
Applications (SIGMA) IT system implementation. The newly created Risk Committee will monitor
OIASs Risk Assessment and Plan of Engagements (the Plan) on a quarterly basis.
Ultimately, it is the desire of the State of Michigan (State) to further capitalize on its significant
investment in internal control and strong tone at the top to build a leading practice internal audit
and risk management process with a long-term goal of OIAS achieving a trusted advisor status
with its critical stakeholders.
Confidential
Draft
Introduction
This document provides a written roadmap for the Fiscal Year 2016 Plan. In implementing its
mission, OIAS practices conform to the International Standards for Professional Practice of Internal
Auditing (Standards) issued by the Institute of Internal Auditors (IIA). IIA Standards require that
the Chief Internal Audit Executive establish a risk-based plan to determine the priorities of the
internal audit activity consistent with the organizations goals. This Plan provides our vision of
internal audit efforts for the fiscal year, allocating resources to the most critical areas of risk within
the State.
OIASs overall approach to this document leverages Governor Snyders planning approach of
Vision, Engage, Adjust, and Attack. Our intent of the risk assessment planning process is not to
be overly prescriptive on each activity but rather flexible and proactive with our stakeholders due to
the changing risk profile and dynamic nature of the State. To illustrate that flexibility, OIAS will
provide an update regarding its risk assessment and prioritization process every six months and will
adjust the rolling plan based on feedback and approval of the Risk Committee. The projects initially
identified for the Plan leveraged a formal risk assessment model that considered input from various
stakeholders including the Executive Office of the Governor, the Cabinet members, State agency
management, and the State Budget Office. The Risk Committee performs final approval and
oversight of the Plan.
The total appropriation for OIAS during 2016 amounts to approximately $5.4 million representing
no material change from the $5.4 million appropriated in 2015.
Sources of Funding
Appropriations
FY 2016
General Fund/General Purpose
$ 3,272,600
Special Revenue/SWCAP
1,482,400
State Restricted Indirect Funds
617,900
Total
$5,372,900
Disposition of Appropriations
FY 2016
Category
Budget
Salaries & Fringes
Salaries
$ 2,890,231
Longevity
11,510
Insurance
483,465
Retirement/FICA
1,797,466
Supplemental Retirement
7,705
$
5,190,377
Total Salaries & Fringes
Support
Travel
$
9,500
Conferences and Seminars (Training)
10,000
IT Expenditures
129,550
Other Support
33,473
$ 182,523
Total Support
Total Appropriation
$5,372,900
Confidential
FY 2015
$ 3,549,000
1,220,600
617,900
$5,387,500
FY 2015
Incurred
$ 2,757,936
11,431
452,555
1,665,863
30,819
$ 4,918,605
$
9,500
10,000
132,025
24,600
$ 176,125
$5,094,730
Draft
Plan of Engagements
Below is the Internal Audit budgeted hours by activity beginning October 1, 2015 through
September 30, 2016. This budget assumes no change in current staffing headcount.
Activity
Engagement Activities
Operational Excellence / Process reviews
Material Weaknesses: Validation
Consulting
Material Weaknesses: Corrective Action Consultation
Assurance
Reserve for Agency requests
Statewide Initiatives
SIGMA Support
Enterprise Information Management (EIM)
Risk Assessment and Plan of Engagements
Internal Control Evaluation
Activity
Hours
9,980
3,400
2,000
600
300
700
1,120
650
500
460
200
50
1,100
Fraud
W2- Reviews
Other Planned Engagements
Sec 487 (potential irregularities)
550
550
ICE Reengineering
Central monitoring/support
280
200
80
5,324
11,000
7,928
3,072
1,230
1,150
80
66,040
38,556
4,700
3,000
3,460
5,324
11,000
Confidential
Draft
Mission
To enhance and protect organizational value by providing Executive branch departments and
agencies of the State of Michigan with risk-based, objective and reliable assurance, advice, and
insight.
Vision
To be regarded as trusted advisors who positively impact the efficiency and effectiveness of
services that Executive branch departments and agencies deliver to the citizens of Michigan.
Competence
TRUSTED ADVISOR
Capable but
poorly aligned
Compliance
function
Trusted
Advisor
Engaged but not
strategic
Relationships
Core Principles
The 10 core principles highlight what effective internal auditing looks like in practice as it relates to
the individual auditor, the internal audit function, and internal audit outcomes. The 10 OIAS core
principles are:
Demonstrates uncompromised integrity
Demonstrates commitment to competence, accountability, and due professional care
Displays objectivity in mindset and approach and is free from undue influence
Aligns with the strategies, objectives and risks of the Governor & Executive Branch
Is appropriately positioned and adequately resourced
Demonstrates quality, innovation, and continuous improvement
Communicates effectively
Provides risk-based assurance to those charged with governance
Is insightful, proactive, and future-focused
Promotes organizational improvement
Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve the State of Michigan. It helps the State accomplish its objectives by bringing a
Confidential
Draft
Purpose
OIASs purpose is to help ensure:
Risks are appropriately identified and managed
Programs, plans, and objectives are achieved
Significant financial and operating information is accurate, reliable, and timely
Resources are acquired economically, used efficiently, and adequately safeguarded
Employees actions are in compliance with policies, standards, procedures, and applicable
laws and regulations
Quality and continuous improvement are fostered in the States internal control process
Significant legislative or regulatory issues impacting the State are addressed appropriately
Interaction with the various governance groups occurs as needed
Statutory Mandates
With respect to its 2016 Plan, OIAS meets the statutory mandates of the required internal audit
functions as defined in Michigan Compiled Laws (MCL) Section 18.1486, as amended by Section
18.46. These mandates include:
1. Receive and investigate any allegations that false or misleading information was
received in evaluating a principal departments internal accounting and
administrative control system or in connection with the preparation of the biennial
report on the system
Assessment: OIAS has an established process to investigate any allegations with respect
to false or misleading information. OIAS, where applicable, collaborates with the
Attorney General and Inspector Generals of select departments to ensure any allegations
are properly addressed. In addition, departments will next report on their system of
internal control in May 2017, and related OIAS efforts will be included in the 2017 Plan.
2. Conduct and supervise audits relating to financial activities of a principal
departments operations
Assessment: OIAS, in conjunction with the principal departments, has included audits
of financial activities in its Plan. In addition, OIAS will conduct select financial activities
with respect to the States Comprehensive Annual Financial Report (CAFR).
3. Review existing activities and recommend policies designed to promote efficiency in
the administration of a principal departments programs and operations
Confidential
Draft
Draft
Confidential
Draft
Confidential
10
Draft
Risk assessment and internal audit are integral parts of the governance framework. This framework
has three main elements, or lines of defense, all of which combine to provide the Risk Committee,
as the Governing Body, with assurance that the State is effectively managing risk as depicted below:
The first line of defense rests with the department and agency operations and management
that perform the day-to-day risk management activity, largely through established processes
and project management controls.
The second line of defense is held by the oversight functions within the State at the
administrative level in such areas as legal, finance, budget, compliance, quality, and
information technology. They provide guidance to the business on risk areas where policies
and procedures are necessary.
Internal Audit forms the third line of defense, offering independent oversight and assurance
that the processes in the first two lines of defense are operating effectively.
Other assurance providers are depicted such as External Audit (OAG) and Federal
Regulators. These entities, although separate from the Executive Branch, provide
information, assurance and coverage that the State is operating as intended.
Each line of defense provides information to Senior Management and the Governor to help
monitor operations and maintain stewardship responsibilities to its citizens. Consistent with leading
practices, the work of OIAS should address the gaps in the assurance effort rather than replicating
management activity or that of the other providers. At the same time, however, OIAS should
provide objective monitoring with regard to the effectiveness of management and their processes.
Confidential
11
Draft
Confidential
12
Draft
The Department of Technology, Management and Budget (DTMB) is the States Executive branch
IT service provider and serves as the general contractor between the States information technology
users and private sector IT service providers. DTMB is responsible for establishing and coordinating
the technological direction of the State. In doing so, DTMB works with State departments and
agencies to ensure a secure and effective operating environment for the States Information
Technology infrastructure.
DTMB also has primary responsibility for establishing, maintaining, and monitoring internal control
over the States IT environment (general controls) and supporting processes. However, some
aspects of the States general controls are not implemented enterprise-wide; instead, they are
established and maintained at the department business process-level based on guidance issued by
DTMB. As a result, DTMB and departments share responsibility for designing, implementing, and
performing business process-level control activities and assessing its control effectiveness.
Confidential
13
Draft
Red Card
The States Red Card is a listing of services/applications the State agencies, in conjunction with
DTMB, have identified as critical and require significant priority for business resumption
procedures. In planning new engagements and follow up of agency remediation efforts, OIAS
considered the Red Cards services/applications in its holistic view of risks.
On June 24, 2015, the OIAS and OAG signed a Memorandum of Understanding (MOU) that
outlined several planned activities to begin collaboration on assurance efforts and to reduce
duplication of effort in accordance with the three lines of defense model. To that end, on October
26, 2015, OIAS leadership met with the Auditor General and Deputy Auditor General to discuss
our current risk assessment and planned activities. See Appendix A for heat map assessments that
include the OAGs past and current audit efforts.
Due to its interconnecting roles, OIAS and OAG will continue to collaborate within the limits of
their respective organizations charters, professional standards, and statutory mandates to minimize
Confidential
14
Draft
Governor Snyder created the Office of Good Government (OGG) during his first term. OGG
provides strategic direction and training on programs that include employee engagement, change
management, service/process optimization, and performance management. Ultimately, the goal of
OGG is to create an efficient, effective, transparent, accountable, and customer-centered State
government.
Many of the goals of OGG regarding efficiency and effectiveness are
similar to those of OIAS. Thus, both entities have committed to
collaborate regarding various initiatives. To further strengthen the linkage,
John Roberts, the State Budget Director, and Director Mike Zimmer of
Licensing and Regulatory Affairs (LARA), are members of both the Good
Government Committee and the Enterprise Risk and Control Committee.
During its 2016 Risk Assessment and Plan of Engagements process, OIAS
and OGG collaborated, where applicable, to discuss opportunities and gain synergies in its
consulting efforts to further support process improvement in the State. See details below for further
discussion regarding OIASs and OGGs combined roles in Strategic and Operational Excellence.
In May 2015, OIAS initiated an analysis and roll up of material internal control weaknesses included
in audit reports issued beginning October 1, 2012. A material weakness is defined as a matter that,
in the auditors judgement, is more severe than a reportable condition and could impair the ability of
management to operate a program in an effective and efficient manner and/or could adversely affect
the judgement of the interested person concerning the effectiveness and efficiency of the program.
We evaluated the current status of material weaknesses and collaborated with the OAG on plans to
conduct follow-up engagements for the purpose of assessing implementation of corrective actions
intended to remediate the material weaknesses and to offer consultation for any design deficiencies
identified. OIAS classified the material weaknesses as high, medium, or low risk based on
consideration of several quantitative and qualitative factors. These assessments are included in
Appendix C - Listing of Material Weaknesses. Our Plan includes those material weaknesses we
intend to either follow-up and validate remediation results, or to consult on the sufficiency of the
planned efforts.
OIAS also included in its initiatives in fiscal year 2016 enhancements to our audit repository process
(Teammate) for reconciling material weaknesses with the OAG. These enhancements are intended
to enhance the audit planning process and reporting on the status of known material weaknesses.
Confidential
15
Draft
July 2015, OIAS has concentrated its efforts to finalize all engagement activities for prior
As of October 30, 2015, only four engagements remain open:
DEQ SAW Grant Program Administration
DOC Service Contract Consult
DHHS Data Consult
DTMB Enterprise Architecture
OIASs development of its annual risk-based Plan is a multi-step iterative process. OIAS first
identified and conducted a risk assessment of the States auditable entities. To ensure selection of
highest risk and value-added projects, OIAS mapped each identifiable business component to the
departments critical assessable units identified during the 2015 ICE cycle. In addition, OIAS
identified other factors such as departmental scorecard/metrics, major federal programs, significant
contracts, information systems, management concerns, and reported material weaknesses associated
with each critical assessable unit.
OIAS based the number of projects selected for inclusion in the Plan on factors such as the impact
the project may have (the problem or risks it addresses and the likely types of opportunities for
improvement that may result); the sensitivity, complexity, and difficulty of the project compared to
its likely impact; the amount of audit coverage already being provided by OAG and other
department audit functions; OIAS staff qualifications; and available resources. In addition, the Plan
includes several entity-wide projects selected for the opportunity to address common high-risk areas
across the organization.
OIAS recently participated in a benchmarking review with various third parties including internal
audit teams from Blue Cross Blue Shield, Accident Fund, and the State of Ohio. Additionally, OIAS
engaged DTMBs Office of Performance Management in October for a lean review of its audit
planning methodology. These efforts are planned into January 2016, and are included in our Plan of
Engagements. All of the initiatives discussed are intended to expand OIASs capability to move
towards higher risk engagements with narrower scope. This effort will allow for quicker turnaround
times and enable a timely response to identified issues. However, some projects are inherently
complex and require additional time for OIAS to provide quality results and to comply with IIA
Standards.
OIASs available resources limit the number of projects that can be completed each year. As a
result, there may be a number of high-risk areas that are not addressed by the Plan.
Confidential
16
Draft
Risk Factors
OIAS used eight factors to assess the risks associated with the States auditable entities. Risk factors
were scored based on likelihood of the risk and the impact of the event. Weights were assigned to
the various risk factors to calculate a composite risk score and initial heat maps for each auditable
entity. The heat maps were further adjusted based on agency leadership feedback and OIASs
professional judgment. Using this information, OIAS further determined areas to prioritize and
provide to the Risk Committee for review.
Risk Factors and Associated Weights
Risk Factor
Management Concerns
Importance of
Business Objective to the
State's Overall Mission
Weight
150%
100%
Control Environment
100%
Known Material
Weaknesses to Be
Followed Up
100%
Dollar Amount
Supported Through
Activity
70%
Regulatory /
Legal Requirements /
Federal Funding
65%
Maturity of Business
Process
60%
Exposure Risk
50%
Confidential
Description
Management concerns or other known issues.
Draft
Planned Engagements
The following schedule represents planned engagement areas based on an evaluation of agency audit
priorities from heat maps, discussions with agency management, and available resources.
OIAS, in consultation with the Risk Committee, may revise projects and schedules of the Plan.
The OIAS level of effort included in the Plan is generally categorized as follows:
Small less than 300 hours
Medium between 300 and 500 hours
Large between 500 and 800 hours
The planned areas for fiscal year 2016 include:
#
Department
Engagement Area
Level of
Type of
Effort Engagement
Treasury
Treasury
Treasury
Collections
Small
Follow Up
Treasury
Collections
Large
Consulting
Treasury
Local Government
Small
Follow Up
Treasury
Local Government
Small
Follow Up
Treasury
Medium
Consulting
Process review.
Treasury
Local Government
Medium
Consulting
Treasury
Lottery - iLottery
Medium
Assurance
10
CSC
Office of Compliance
Medium
Follow Up
11
DTMB-MB
Medium
Assurance
12
DTMB-MB
Small
Consulting
Confidential
18
Draft
Department
Level of
Type of
Description of Engagement Scope
Effort
Engagement
Value for Money Government and Treasury
Participate on Purchasing process improvements
and monitoring activities and consult on the
development of the Enterprise Procurement
Office of Procurement
Small
Consulting
Policy Manual. Includes three OAG material
findings.
Review vendor file controls designed to prevent
SBO - OFM/Statewide Single
Small
Consulting
unauthorized changes.
Consult on the IT Theme Area Project. This
IT Mgmt., IT Tech Infrastructure, IT
DTMB project is intended to implement an
Medium Consulting
Apps, Cybersecurity
enterprise control and monitoring solution for
common IT internal control weaknesses.
Engagement Area
13
DTMB-MB
14
DTMB-MB
15
DTMB-IT
16
DTMB-IT
IT Mgmt., IT Apps
Medium
Follow Up
17
DTMB-IT
IT Mgmt., IT Apps
Small
Consulting
18
DTMB-IT
Small
Consulting
19
Statewide
ICE
Large
Consulting
20
Statewide
Statewide
Medium
Assurance
21
Statewide
22
DNR
23
DEQ
24
DEQ
25
DTED
Medium
Consulting
26
DTED
Consulting
Confidential
19
Draft
Department
Level of
Type of
Description of Engagement Scope
Effort
Engagement
Quality of Life and Economic Strength
Unemployment Insurance Agency
(UIA) - Unemployment Insurance
Four material findings the OAG reported in
Benefit Overpayments and
Large
Follow Up
March 2011.
Nonmonetary Eligibility
Determinations
UIA - Collection of Delinquent
Two material findings the OAG reported in
Unemployment Taxes and
Large
Follow Up
January 2012.
Reimbursements
Engagement Area
27
DTED
28
DTED
29
DTED
Medium
Consulting
30
LARA
Medium
Follow Up
31
LARA
Large
Follow Up
32
LARA
Small
Follow Up
33
LARA
Small
Follow Up
34
LARA
Medium
Follow Up
35
LARA
Small
Follow Up
36
LARA
Small
Follow Up
37
MDARD
Medium
Assurance
People,
Office of Great Start - Child Care
Development Fund
Office of Great Start - Child Care
Development Fund
Office of Great Start - Child Care
Development Fund
38
MDE
Large
Follow Up
39
MDE
Large
Follow Up
40
MDE
Medium
Consulting
41
MDE
Medium
Consulting
42
DHHS
Medium
Assurance
43
DHHS
Assurance
44
DHHS
Consulting
Confidential
Medium
20
Draft
Department
Engagement Area
Level of
Type of
Effort
Engagement
People, Health and Education
45
DHHS
Follow Up
46
DHHS
Medium
Follow Up
47
DHHS
Large
Follow Up
48
DHHS
Large
Follow Up
49
DHHS
Medium
Follow Up
50
DHHS
Consulting
51
DHHS
Consulting
52
DHHS
53
DHHS
54
DOC
55
DOC
Application Control
Medium
Consulting
56
DOC
Medium
Follow Up
57
DOC
Small
Consulting
58
DOC
Large
Assurance
59
DOC
Small
Consulting
60
DOC
Contract Monitoring
Medium
Assurance
61
DOC
Accounts Payable
Medium
Assurance
62
MSP
Forensic Science
Small
Follow Up
Confidential
21
Draft
Department
Engagement Area
Level of
Type of
Effort
Engagement
Public Safety
63
MSP
Small
Consulting
64
State
Registration Fee
Small
Follow Up
65
State
User Controls
Medium
Consulting
66
DMVA
Tuition Assistance
Small
Assurance
67
DMVA
Medium
Consulting
Department
CSC
DEQ
DHHS
DMVA
DNR
DOC
DTED
DTMB-IT
DTMB-MB
LARA
MDARD
MDE
MSP
DOS
Statewide
Treasury
Grand Total
Confidential
Type of Engagement
FollowUp
Assurance Consulting
1
1
1
3
4
5
1
1
1
3
3
2
3
2
3
1
1
3
7
1
2
2
1
1
1
1
1
2
1
5
3
12
30
25
22
Grand
Total
1
2
12
2
1
8
5
4
4
7
1
4
2
2
3
9
67
Draft
During August 2015, Contract No. 071B5500121 was executed between the State of Michigan and
The McDonnell Company, LLC to implement Operational Excellence with OIAS and the OGG
assigned as program managers to the enterprise contract. Subsequently in September 2015, the
program was expanded to include PwC and Mass Ingenuity for Strategic Excellence with OGG as
the lead program manager with advisory support from OIAS.
Both programs work in tandem with the intent of creating strategic and operational alignment for
lasting cultural change in State government. The combined program leverages a top-down
(strategic excellence) and bottom-up (operational excellence) approach to implement the
Governors vision of excellence for the State.
OIAS plays a critical oversight role in the program and has built detailed assessment into the Plan to
incorporate this effort. The intent of the Plan is to be flexible and aligned with Strategic Excellence
to focus engagement effort on the core processes of State government that must work well to drive
the States key outcomes. OIAS will also opine on documentation of core processes and
effectiveness of related controls through a review of process measures, targets, and outcomes as
defined on the Governors Fundamentals and Strategy Maps, which will be completed by February
2016.
Confidential
23
Draft
Confidential
24
Draft
HIGH
Frequent
5
Likely
Likelihood
7
MEDIUM
9
Possible
10
17
LOW
Unlikely
12
13
14
15
16
11
Rare
Incidental
Minor
LOW
Moderate
Major
Extreme
HIGH
MEDIUM
Impact
IT Related
IT Applications
IT Technical Infrastructure
IT Management
IT External Controls
DTMB Procurement
20
10
Building Operations
11
12
13
14
15
Real Estate
16
17
Confidential
Recent Audits/Engagements
(FY13, FY14, FY15)
OAG
OAG Work in
Process
OIAS Planned
Engagements
OIAS
$1,195,329,600
25
25
Draft
Treasury
On September 22, 2015 the Treasurer and Deputy Treasurers met with Jeff Bankowski, Rick Lowe, and
Stacey Bliesener of OIAS. On September 28, 2015 the Lottery Commissioner met with Sandy Streb and Sherri
Washabaugh of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.
HIGH
Frequent
1
Likelihood
Likely
2
8
MEDIUM
7
Possible
14
11
10
12
Unlikely
13
LOW
Rare
Incidental
Minor
LOW
Moderate
Major
Extreme
HIGH
MEDIUM
Impact
Program Size
Collections
Tax Processing
Investments
Financial Services
Lottery
10
Tax Compliance
11
12
13
Tax Policy
14
Operations
IT Related
OAG
OAG Work in
Process
OIAS
Confidential
$1,945,052,200
3
26
Draft
OIAS Planned
Engagements
Frequent
HIGH
Likelihood
Likely
MEDIUM
Possible
Unlikely
7
LOW
Rare
Incidental
Minor
Moderate
LOW
Major
MEDIUM
Extreme
HIGH
Impact
Recent Audits/Engagements
(FY13, FY14, FY15)
Program Size
Benefits
Compliance
Compensation
Operations
IT Related
OAG
OAG Work in
Process
OIAS
Confidential
$67,894,100
27
Draft
OIAS
Planned
Engagements
Frequent
HIGH
1
Likely
Likelihood
2
3
MEDIUM Possible
4
Unlikely
LOW
Rare
Incidental
Minor
Moderate
LOW
Extreme
Major
MEDIUM
HIGH
Impact
Program Size
Operations
MSF/MEDC
MSHDA
IT Related
OAG
OIAS
Confidential
$1,153,023,500
9
28
Draft
Frequent
HIGH
3
Likelihood
Likely
11
MEDIUM
Possible
12
Unlikely
10
LOW
13
Rare
Incidental
Minor
LOW
Moderate
Major
MEDIUM
Extreme
HIGH
Impact
Program Size
Operations
1
2
3
4
Fire Services
Professional Licensing
Recent Audits/Engagements
(FY13, FY14, FY15)
Construction Codes
10
11
12
Employment Relations
13
IT Related
OAG
OAG
OIAS Planned
Work in
Engagements
Process
OIAS
Confidential
$407,649,000
15
29
Draft
HIGH
Frequent
Likelihood
Likely
MEDIUM
Possible
2
LOW
Unlikely
Rare
Incidental
Minor
Moderate
LOW
Extreme
Major
MEDIUM
HIGH
Impact
Program Size
Insurance Regulation
3
4
Confidential
Recent Audits/Engagements
(FY13, FY14, FY15)
Operations
IT Related
OAG
OIAS
E
D
$65,057,700
30
Draft
Frequent
HIGH
Likelihood
Likely
MEDIUM Possible
4
7
Unlikely
6
LOW
8
Rare
Incidental
Minor
Moderate
LOW
Major
Extreme
HIGH
MEDIUM
Impact
Recent Audits/Engagements
(FY13, FY14, FY15)
Program Size
Operations
Laboratory Division
Agriculture Development
IT Related
OAG
OAG Work in
Process
OIAS
Confidential
$86,594,000
2
31
Draft
OIAS
Planned
Engagements
On October 28, 2015 Director Dan Wyant and Chief Deputy Director Jim Sygo of DEQ, met with Jeff
Bankowski, Bryan Weiler, and Carol O'Callaghan of OIAS. We discussed the risk assessment/ heat map
and outcome analysis presented below.
HIGH
Frequent
1
Likelihood
Likely
2
MEDIUM
Possible
10
LOW
Unlikely
Rare
Incidental
Minor
Moderate
LOW
Major
MEDIUM
Extreme
HIGH
Impact
Program Size
Operations
1
2
Recent Audits/Engagements
(FY13, FY14, FY15)
IT Related
OAG
OAG Work in
Process
OIAS*
C
D
Air Quality
10
Confidential
$486,909,300
0
32
Draft
OIAS
Planned
Engagements
Frequent
HIGH
Likelihood
Likely
MEDIUM Possible
Unlikely
7
LOW
9
Rare
Incidental
Minor
Moderate
LOW
Major
MEDIUM
Extreme
HIGH
Impact
1
2
3
Program Size
Wildlife Management
Law Enforcement
Confidential
OAG
OIAS
D
D
IT Related
Fisheries Division
Operations
OAG Work in
Process
Recent Audits/Engagements
(FY13, FY14, FY15)
D
D
$404,001,200
33
Draft
OIAS
Planned
Engagements
Frequent
Likely
Likelihood
MOD
Possible
Unlikely
12
11
LOW
13
Rare
10
14
Incidental
Minor
LOW
Moderate
Major
MOD
Extreme
HIGH
Impact
Program Size
Field Operations
6
7
Operations
10
11
12
Inspector General
13
14
OIAS
Other
(Dept/Fed)
1
3
$25,069,637,100
Total FY16 Appropriations
Total # of Material Weaknesses
Confidential
OAG
OIAS
OAG Work in
Planned
Process
Engagement
s
Central Operations
IT Related
12
34
Draft
Frequent
HIGH
Likelihood
Likely
MEDIUM Possible
Unlikely
LOW
1
Rare
Incidental
Minor
Moderate
LOW
Major
MEDIUM
Extreme
HIGH
Impact
Program Size
Enforcements/Complaints Division
Operations
IT Related
Recent Audits/Engagements
(FY13, FY14, FY15)
OAG
OIAS
Confidential
$16,128,700
35
Draft
Department of Corrections
(DOC)
On September 15, 2015 Director Heidi Washington and Deputy Director Jeri-Ann Sherry, met with Jeff
Bankowski and Connie MacKenzie of OIAS. We discussed the risk assessment/ heat map and outcome
analysis presented below.
Frequent
HIGH
Likely
Likelihood
3
2
5
MEDIUM Possible
Unlikely
6
7
LOW
Rare
Incidental
Minor
Moderate
LOW
Major
MEDIUM
Extreme
HIGH
Impact
Risk Universe/Business
Component
Program Size
Prisons
Offender Programming/Re-entry
Time Comp/Parole/Discharge
Pre-sentence Investigations
Operations
IT Related
OAG
OIAS
Confidential
$1,962,226,000
36
Draft
Frequent
HIGH
Likelihood
Likely
MEDIUM
Possible
Unlikely
LOW
5
Moderate
Major
Rare
Incidental
Minor
LOW
MEDIUM
Extreme
HIGH
Impact
Program Size
Operations
IT Related
OAG
OIAS
Federal
Confidential
$620,837,400
2
37
Draft
OAG
OIAS
Work in
Planned
Process Engagements
Frequent
HIGH
2
Likelihood
Likely
3
MEDIUM
Possible
Unlikely
LOW
Rare
Incidental
Minor
LOW
Moderate
Major
Extreme
HIGH
MEDIUM
Impact
Program Size
Operations
Veteran Programs
Military Related
Administration and IT
IT Related
OAG
OIAS
Federal
Confidential
$166,953,700
8
38
Draft
Likelihood
Likely
4
MEDIUM
Possible
5
Unlikely
LOW
Rare
Incidental
Minor
LOW
Moderate
Major
MEDIUM
Extreme
HIGH
Impact
Recent Audits/Engagements
(FY13, FY14, FY15)
Program Size
Operations
Education Services
School Aid/Finance
Accountability Services
IT Related
OAG
OIAS
$14,202,205,500
7
Note: Governor Snyders Executive Order in March 2015 moved the School Reform Office to DTMB (which is included in
Education Services above); OIAS will address these risks and ensure applicable ICE documentation will be reflected in
DTMBs upcoming ICE cycle
Confidential
39
Draft
Secretary of State
(DOS)
On September 21, 2015 Deputy Director Rose Jarios and audit liaison Steve Stier of DOS met with
Connie MacKenzie and Daphne Hobson of OIAS. We discussed the risk assessment/ heat map and
outcome analysis presented below.
Frequent
HIGH
Likelihood
Likely
MEDIUM Possible
Unlikely
2
4
LOW
5
Rare
Incidental
Minor
Moderate
Major
Extreme
Impact
Risk Universe/Business
Components
Program Size
Operations
Driver/Vehicle Systems
Elections
Regulatory
4
5
Confidential
Recent Audits/Engagements
(FY13, FY14, FY15)
IT Related
OAG
OIAS
$225,256,700
0
40
Draft
Frequent
HIGH
Likelihood
Likely
MEDIUM Possible
Unlikely
LOW
1
2
Rare
Incidental
Minor
LOW
Moderate
Major
MEDIUM
Extreme
HIGH
Impact
1
2
Risk Universe/Business
Components
Recent Audits/Engagements
(FY13, FY14, FY15)
Program Size
Operations
IT Related
OAG
OAG Work in
Process
OIAS
Confidential
$92,107,600
41
Draft
OIAS Planned
Engagements
Appropriations All
% of In- Estimated % Hours of
Funds FY 16
% of Total Scope Audit Hours Budget
$
86,594,000
92,107,600
16,128,700
67,894,100
1,962,226,000
14,202,205,500
486,909,300
25,069,637,100
65,057,700
407,649,000
166,953,700
404,001,200
225,256,700
620,837,400
1,195,329,600
1,153,023,500
1,945,052,200
48,166,863,300
0.16%
0.17%
0.03%
0.12%
3.60%
26.04%
0.89%
45.97%
0.12%
0.75%
0.31%
0.74%
0.41%
1.14%
2.19%
2.11%
3.57%
88.33%
0.18%
0.19%
0.03%
0.14%
4.07%
29.49%
1.01%
52.05%
0.14%
0.85%
0.35%
0.84%
0.47%
1.29%
2.48%
2.39%
4.04%
100.00%
400
300
2,750
2,000
800
6,040
2,500
500
700
400
350
4,700
2,700
3,150
27,290
1.47%
0.00%
0.00%
1.10%
10.08%
7.33%
2.93%
22.13%
0.00%
9.16%
1.83%
2.57%
1.47%
1.28%
17.22%
9.89%
11.54%
100.00%
27,290 *
Agency Name
Total Appropriations
Appropriations All
% Out-of- Estimated % Hours of
Funds FY 16
% of Total Scope Audit Hours Budget
$
5,531,100
387,825,600
1,534,724,400
284,851,400
159,304,800
3,896,201,400
95,000,000
6,363,438,700
0.01%
0.71%
2.81%
0.52%
0.29%
7.15%
0.17%
11.67%
0.1%
6.1%
24.1%
4.5%
2.5%
61.2%
1.5%
100.00%
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Appropriations All
% of Total
Funds FY 16
$
54,530,302,000
100.00%
* Total audit plan hours of 27,290 is part of total engagement and oversight activities hours of 38,556 on page 5.
Confidential
42
Draft
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Audit
Report
Date
DTMB
03/27/15
DTMB
N-New
R-Repeat
OIAS Assessed
Level of Risk
Formal Training Program could - DTMB did not establish a formal training program or take other steps to
Improve DBA's Database
ensure that all DBAs managing the State's Oracle databases receive sufficient
Management
training.
High Risk
01/22/15
Security Configuration
Enforcement
- DTMB did not enforce security configuration profiles within the State's MDM
System.
High Risk
DTMB
08/19/14
Interface Controls
- DTMB, in conjunction with State agencies, had not fully established effective
interface controls over the Enterprise Data Warehouse.
High Risk
DTMB
06/30/15
- The OAG has noted 23 material weaknesses in the Statewide Single Audit.
These weaknesses are managed jointly with OFM and the Departments. OAG
will be following up on these as part of the next Statewide Single Audit.
Both
High Risk
DTMB
09/08/15
- DTMB did not ensure that departments provide timely responses to DTMB's
quarterly procurement card compliance and transaction reports.
Medium Risk
DTMB
12/11/14
Segregation of Duties
- Surplus did not maintain sufficient segregation of duties over the collection and
recording of revenue.
Low Risk
DTMB
03/27/15
- DTMB did not fully establish and implement effective security configurations
for the State's Oracle databases.
Low Risk
DTMB
12/11/14
- State Surplus did not maintain sufficient records to accurately account for the
disposition of surplus items received from State agencies.
Low Risk
DTMB
01/25/13
- OCO in conjunction with DHS, did not obtain access to DHS's computer
networks relating to children's protective services, foster care, adoption services,
and the juvenile justice system.
Low Risk
Finding Title
Recommendation\Condition
03/07/14
Treasury
07/20/15
Treasury
07/20/15
Treasury
07/20/15
Treasury
07/20/15
Treasury
12/03/14
01/20/12
DTED
Write-Off of Uncollectible
Delinquent Tax Assessments in
STAR
Collections - System
programming should be
improved to accurately identify
delinquent SUW assessment
balances
Collections - Comprehensive
security are vital to protecting
the MARCS application and
database
Collections - More timely
pursuit of delinquent debts is
necessary
Collections - Improved UBP
management and oversight is
needed to identify businesses
owing taxes
- Treasury did not accurately and completely write off uncollectible delinquent
tax assessments in STAR.
High Risk
- Treasury did not ensure that the automated system for managing SUW tax
returns and payment information is programmed to accurately identify delinquent
assessment balances.
High Risk
- Treasury did not fully establish and implement effective security configurations
for the MARCS application and database.
High Risk
Medium Risk
- Treasury did not provide sufficient program management and oversight of the
UBP to ensure the identification and registration of businesses owing delinquent
taxes.
Medium Risk
Medium Risk
- UIA's CU and TEU initiate sufficient and timely efforts to collect delinquent
SUTA taxes from contributing employers.
High Risk
High Risk
High Risk
High Risk
DTED
01/20/12
DTED
01/20/12
DTED
01/20/12
Confidential
- UIA use available data and data analysis resources to proactively identify and
investigate employers potentially involved in : SUTA dumping, misclassifying
some or all of their employees as independent contractors, in bankruptcy, or not
registering with UIA.
- UIA's Tax Office timely initiate actions affecting contributing employers'
SUTA tax accounts.
UIA - SUTA Tax Account Actio
- UIA's Tax Office ensure that UIA's master employer files contain up-to-date
information.
43
Draft
APPENDIX C Continued
DTED
03/22/11
UIA - Classification of
Claimants' Misrepresentations
DTED
03/22/11
DTED
01/23/13
DTED
01/23/13
DTED
03/26/15
High Risk
High Risk
Low Risk
Low Risk
Low Risk
LARA
02/20/15
LARA
02/20/15
Completeness of Investigations
Monitoring of HPRP
Contractor
Completeness and Accuracy of
MAPS Data
LARA
02/20/15
LARA
04/10/14
LARA
03/13/14
LARA
05/19/15
Improved reporting of
allegations to APS needed.
LARA
05/19/15
Improved inspection
documentation needed.
LARA
04/10/14
LARA
11/27/12
LARA
11/27/12
LARA
02/22/13
LARA
04/10/14
LARA
04/10/14
LARA
04/10/14
LARA
04/10/14
LARA
06/25/14
Bureau of Fire Services - Efforts - Bureau of Fire Services establish a comprehensive process to assess the
to Evaluate Effectiveness
effectiveness of its Fire Service operations.
- Bureau of Fire Services monitor State-funded Fire training activities.
Bureau of Fire Services - And obtain and review course examinations prior to recording passing grades
Monitoring of Training Activities
on student examinations.
Bureau of Fire Services - Bureau of Fire Services fulfill all statutory reporting requirements.
Statutorily Required Reporting
- Bureau of Fire Services improve its efforts to preclude conflicts of interest
Bureau of Fire Services among FFTC members, training instructors, training coordinators, county
Training Conflicts of Interest
training committee chairpersons, and regional supervisors involved in the
firefighter training process.
- MPSC establish a comprehensive process to evaluate and improve the
Performance Monitoring
effectiveness of its operations.
High Risk
High Risk
High Risk
High Risk
High Risk
Medium Risk
Medium Risk
Medium Risk
Medium Risk
Medium Risk
Low Risk
Low Risk
Low Risk
Low Risk
Low Risk
Low Risk
MDARD
05/30/13
MDARD
05/30/13
High Risk
High Risk
Confidential
44
Draft
APPENDIX C Continued
- DHHS Medicaid Home Help - timely obtain sufficient documentation to
Provider Service Log or Invoice
ensure providers have delivered the services paid for through a preauthorized
Documentation
payment process.
- DHHS and DTMB fully establish effective processing controls over Bridges
Interface Processing Controls
interfaces.
Adult Protective Services -Client
- APS caseworkers consistently complete APS client service plans as required.
Service Plans
DHHS
06/17/14
DHHS
05/31/13
DHHS
07/09/14
DHHS
07/09/14
Adult Protective Services - Fully develop and implement a process to evaluate the effectiveness of APS
Evaluation of APS Effectiveness intervention services.
DHHS
07/09/14
DHHS
07/09/14
DHHS
07/09/14
DHHS
07/09/14
DHHS
01/22/14
DHHS
06/17/14
DHHS
05/31/13
DHHS
05/31/13
DHHS
01/29/14
DHHS
07/31/13
DHHS
08/08/14
DHHS
08/08/14
- APS caseworkers conduct monthly face-to-face contacts with APS clients with
open APS investigations, as required.
- DHHS investigate all allegations identified in referrals assigned for an APS
investigation.
- DHHS county/district offices begin and conduct APS investigations in
accordance with standards of promptness established by the Michigan Compiled
Laws and DHHS policies.
- DCH, in conjunction with DTMB, fully establish effective security and access
File Share Server Security and
controls over the file share servers that contain the State's electronic birth and
Access Controls
death records.
- DHS and DHC timely obtain sufficient documentation to ensure that
ASW Contacts With Clients and
Medicaid Home Help program providers have delivered the services paid for
Providers
through a preauthorized payment process.
- DTMB, in conjunction with DHS, comply with SUITE, contract provisions,
Bridges Change Controls
and change control best practices.
ClearCase and ClearQuest
- DTMB establish effective access controls over the Bridges version controls
Access
tool, ClearCase, and the Bridges workflow tool, ClearQuest.
- Center for Forensic Psychiatry ensure that its staff more effectively observe
Patient Observation
patients.
- HILS attempt to recover and timely recover Medicaid pharmaceutical costs
Recovery of Medicaid Costs
that are the potential liability of Medicare.
- ORR initiate investigations immediately upon receipt of complaints involving
Timeliness of Complaint
alleged abuse or neglect.
Resolution
- ORR timely complete interventions and investigations.
- ORR perform preliminary reviews of all patient deaths that State psychiatric
hospitals report to ORR.
Review of Recipient Deaths
- ORR maintain sufficient documentation to support that ORR performed
preliminary reviews of all patient deaths.
High Risk
High Risk
High Risk
High Risk
High Risk
High Risk
High Risk
High Risk
Medium Risk
Medium Risk
Medium Risk
Medium Risk
Low Risk
Low Risk
Low Risk
Low Risk
06/25/14
MSP
06/06/14
Unobligated Funds
Low Risk
Low Risk
DMVA
04/30/13
DMVA
04/30/13
DMVA
05/14/15
DMVA
05/14/15
DMVA
12/20/13
DMVA
12/20/13
DMVA
05/14/15
Confidential
45
Medium Risk
Medium Risk
Low Risk
Low Risk
Low Risk
Low Risk
Low Risk
Draft
APPENDIX C Continued
DMVA
05/14/15
Comprehensive evaluation of
program effectiveness needed.
Low Risk
MDE
07/17/13
MDE
07/17/13
MDE
07/17/13
MDE
07/17/13
MDE
07/17/13
MDE
03/14/14
MDE
03/14/14
Database Security
MDE
03/14/14
MDE
11/15/13
MDE
11/15/13
DOS
01/16/15
- MDE conduct periodic tests of its Central Registry records check processes to
ensure effectively identify individuals with substantiated histories as perpetrators
of child abuse and/or neglect and prevent from providing child care services.
- MDE include inactive unlicensed child care providers in its Central Registry
records check processes.
- MDE ensure that the terminable crimes and codes list is complete and includes
CCDF - Terminable Crimes and
the crime description and conviction coding information necessary to identify
Codes List
unsuitable unlicensed providers.
CCDF - Criminal History
- MDE strengthen its ICHAT records check process
Checks at Enrollment
- MDE ensure that its monthly ICHAT records check process works effectively
CCDF - Monthly Criminal
to detect active unlicensed providers with terminable convictions in ICHAT
History Checks
records.
- MDE and BCAL implement controls to ensure that criminal background and
Central Registry check processes effectively identify and terminate unlicensed
CCDF - Suitability of Adult
providers and family and group home providers with adult household members
Household Members of
that have criminal convictions of terminable crimes or were substantiated as
Unlicensed Providers and Family
perpetrators of child abuse and/or neglect.
and Group Child Care Home
- MDE utilize internal and publicly available information to help identify
Provider
unreported adult household members of unlicensed providers who care for
children in their own homes.
- MDE and DTMB continue to develop a comprehensive change control
Change Control Process
process for MEGS+ and FNS-FRS.
- DTMB and MDE monitor privileged user activity and automated audit logs
of high-risk events for the SAMS, MEGS+, CMS, and FNS-FRS databases.
High Risk
High Risk
High Risk
High Risk
High Risk
Low Risk
Low Risk
Low Risk
Low Risk
Low Risk
High Risk
MDOT
02/16/15
MDOT
02/20/15
MDOT
06/06/14
MDOT
02/02/15
MDOT
02/02/15
N/A
N/A
N/A
N/A
N/A
46
Draft