Michigan Statewide Risk Assessment

Office of Internal Audit Services
Mission
To enhance and protect organizational value by
providing Executive branch departments and agencies
of the State of Michigan with risk-based, objective and
reliable assurance, advice, and insight
Leadership
Courage
Measures
Duty
Enthusiasm
Excellence
Focus
Integrity
Accountability
Vision
Teamwork
Collaboration
Results
Loyalty
Camaraderie
DRAFT 2016 Risk Assessment
and Plan of Engagements
State of Michigan
October 1, 2015 through
September 30, 2016
2016 Risk Assessment and Plan of Engagements

TABLE OF CONTENTS
Executive Summary
Introduction
2016 Fiscal Year Appropriation for Office of Internal Audit Services (OIAS)
Plan of Engagements
Mission, Vision, and Core Principles of OIAS
Mission
Vision
Core Principles
Definition of Internal Auditing
Purpose
Statutory Mandates
Governance and Risk Management Approach
Enterprise Risk and Control Committee
Lines of Defense Model
Plan of Engagements Methodology
Preparing for the Risk Assessment and Plan of Engagements
Consideration of Information Technology Processes
Red Card
Office of the Auditor General (OAG) Collaboration
Office of Good Government (OGG) Collaboration
OAG Material Weakness Evaluation
Look Back Analysis/Project Carryforward
Project Selection and Prioritization Process
Risk Factors
Planned Engagements
Strategic and Operational Excellence
Appendix
Appendix A Department Risk Assessment/Heat Maps
Appendix B Agency FY 16 Appropriations vs. Budgeted Audit Hours
Appendix C Listing of OAG Material Weaknesses as of September 30, 2015
Confidential
3
4
4
5
6
6
6
6
7
7
7
10
10
11
12
13
13
14
14
15
15
16
16
17
18
23
24
42
43
Draft

Explanatory Note:
The attached document is in draft format subject to review and approval by the Enterprise
Risk and Control Committee (Risk Committee)
Executive Summary
The Management and Budget Act of 1984 required each principal department within the Executive
branch to appoint its own internal auditor. Executive Order (EO) No. 2007-31, effective October 1,
2007, essentially consolidated the internal audit function and established a centralized Office of
Internal Audit Services (OIAS) within the State Budget Office (SBO), and transferred the authority,
responsibilities, duties, functions, and resourcing for internal audit services to the State Budget
Director.
Since the implementation of the EO in 2007, OIAS has been successful in the creation of a
centralized internal audit approach and its supporting role in statutory compliance with Michigan
Compiled Laws Section 18.1485, as amended by Section 18.46. This law requires each principal
department to establish, maintain, and evaluate the sufficiency of its internal control and issue a
biennial report to the Governor. The law also requires an independent review by OIAS on the
overall adequacy of the departments evaluation and reporting processes. This approach, while not
exact, has similar overall themes and characteristics to the U.S. federal law enacted by Congress on
July 30, 2002 commonly known as the Sarbanes-Oxley Act.
On April 1, 2015, State Budget Director John Roberts and Chief Internal Auditor Jeff Bankowski
presented a draft vision and reinvention plan to Governor Rick Snyder and Senior Advisor and
Transformation Manager Rich Baird. Key components of the reinvention plan included a topdown and bottom-up review of the existing internal audit risk methodology, a framework for
enhanced collaboration with the Office of Auditor General (OAG) to resolve recurring material
weaknesses and reduce duplication of effort, and the creation of an oversight risk committee. The
reinvention plan will continue to emphasize traditional internal audit assurance and consulting to the
principal departments and agencies, which will include areas such as performance and program
assessment, operational excellence, scorecards/metrics, Good Government initiative support, and
staff augmentation/risk assessment of the Statewide Integrated Governmental Management
Applications (SIGMA) IT system implementation. The newly created Risk Committee will monitor
OIASs Risk Assessment and Plan of Engagements (the Plan) on a quarterly basis.
Ultimately, it is the desire of the State of Michigan (State) to further capitalize on its significant
investment in internal control and strong tone at the top to build a leading practice internal audit
and risk management process with a long-term goal of OIAS achieving a trusted advisor status
with its critical stakeholders.
Confidential
Draft
Introduction
This document provides a written roadmap for the Fiscal Year 2016 Plan. In implementing its
mission, OIAS practices conform to the International Standards for Professional Practice of Internal
Auditing (Standards) issued by the Institute of Internal Auditors (IIA). IIA Standards require that
the Chief Internal Audit Executive establish a risk-based plan to determine the priorities of the
internal audit activity consistent with the organizations goals. This Plan provides our vision of
internal audit efforts for the fiscal year, allocating resources to the most critical areas of risk within
the State.
OIASs overall approach to this document leverages Governor Snyders planning approach of
Vision, Engage, Adjust, and Attack. Our intent of the risk assessment planning process is not to
be overly prescriptive on each activity but rather flexible and proactive with our stakeholders due to
the changing risk profile and dynamic nature of the State. To illustrate that flexibility, OIAS will
provide an update regarding its risk assessment and prioritization process every six months and will
adjust the rolling plan based on feedback and approval of the Risk Committee. The projects initially
identified for the Plan leveraged a formal risk assessment model that considered input from various
stakeholders including the Executive Office of the Governor, the Cabinet members, State agency
management, and the State Budget Office. The Risk Committee performs final approval and
oversight of the Plan.
2016 Fiscal Year Appropriation for OIAS
The total appropriation for OIAS during 2016 amounts to approximately $5.4 million representing
no material change from the $5.4 million appropriated in 2015.
Sources of Funding
Appropriations
FY 2016
General Fund/General Purpose
$ 3,272,600
Special Revenue/SWCAP
1,482,400
State Restricted Indirect Funds
617,900
Total
$5,372,900
Disposition of Appropriations
FY 2016
Category
Budget
Salaries & Fringes
Salaries
$ 2,890,231
Longevity
11,510
Insurance
483,465
Retirement/FICA
1,797,466
Supplemental Retirement
7,705
$
5,190,377
Total Salaries & Fringes
Support
Travel
$
9,500
Conferences and Seminars (Training)
10,000
IT Expenditures
129,550
Other Support
33,473
$ 182,523
Total Support
Total Appropriation
$5,372,900
Confidential
FY 2015
$ 3,549,000
1,220,600
617,900
$5,387,500
FY 2015
Incurred
$ 2,757,936
11,431
452,555
1,665,863
30,819
$ 4,918,605
$
9,500
10,000
132,025
24,600
$ 176,125
$5,094,730
Draft
Plan of Engagements
Below is the Internal Audit budgeted hours by activity beginning October 1, 2015 through
September 30, 2016. This budget assumes no change in current staffing headcount.
Activity
2016 Internal Audit Budgeted Hours by Activity

Hours
Engagement Activities
Operational Excellence / Process reviews
Material Weaknesses: Validation
Consulting
Material Weaknesses: Corrective Action Consultation
Assurance
Reserve for Agency requests
Statewide Initiatives
SIGMA Support
Enterprise Information Management (EIM)
Risk Assessment and Plan of Engagements
Internal Control Evaluation
Activity
Hours
30,876 Infrastructure and Process Improvements

8,040 Strategic Plan Activities
7,750
Employee training and procedure manual
3,400
Engagement process improvement - LEAN
3,150
Corrective Action Monitoring
1,150
Branding and Stakeholder Survey
7,386 TeamMate support and enhancements
Engagement quality assurance
3,700 OIAS Time & Performance Metrics
3,500 Employee evaluation/performance management
200 Audit & Analytics Computer Environment (AACE)
monitoring
600 Data analytics support
End User Computing (EUC) coordination
9,980
3,400
2,000
600
300
700
1,120
650
500
460
200
50
1,100
Fraud
W2- Reviews
Other Planned Engagements
Sec 487 (potential irregularities)
900 Quarterly Reporting to Risk Committee

200 Divisional assessment, measurement, and quarterly comm ittee
presentation
700 Report coordination
300
300 General Administration
100
Departmental Support/Partnership Activities

External audit liaison
Departmental leadership meetings
Earned Leave / State Holidays

700 Leave
500 Holidays
200
Statutory Reporting Responsibilities

60-day response and CAP monitoring
550
550
ICE Reengineering
Central monitoring/support
CAFR/Financial Reporting Responsibilities

CAFR Support Projects
Third Party Service Organization monitoring
280
200
80
5,324
11,000
7,928
3,072
1,230
1,150
80
Total Hours Available for Plan
66,040
Total Engagement and Oversight Activities

Total Strategic Initiatives
Total Professional Development
Total Effort Supporting Processes
Total General Administration
Total Earned Leave / State Holidays
38,556
4,700
3,000
3,460
5,324
11,000
Confidential
Draft
Mission, Vision, and Core Principles of OIAS

In August 2015, as a follow up to the OIAS reinvention plan presented to the Governor and to
conform to revised guidance issued by the IIA, OIAS commenced a structured and disciplined
approach to revise, adjust, and affirm, where applicable, its mission, vision, and core principles.
Mission
To enhance and protect organizational value by providing Executive branch departments and
agencies of the State of Michigan with risk-based, objective and reliable assurance, advice, and
insight.
Vision
To be regarded as trusted advisors who positively impact the efficiency and effectiveness of
services that Executive branch departments and agencies deliver to the citizens of Michigan.
Competence
TRUSTED ADVISOR
Capable but
poorly aligned
Compliance
function
Trusted
Advisor
Engaged but not
strategic
Relationships
Core Principles
The 10 core principles highlight what effective internal auditing looks like in practice as it relates to
the individual auditor, the internal audit function, and internal audit outcomes. The 10 OIAS core
principles are:
Demonstrates uncompromised integrity
Demonstrates commitment to competence, accountability, and due professional care
Displays objectivity in mindset and approach and is free from undue influence
Aligns with the strategies, objectives and risks of the Governor & Executive Branch
Is appropriately positioned and adequately resourced
Demonstrates quality, innovation, and continuous improvement
Communicates effectively
Provides risk-based assurance to those charged with governance
Is insightful, proactive, and future-focused
Promotes organizational improvement
Definition of Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value
and improve the State of Michigan. It helps the State accomplish its objectives by bringing a
Confidential
Draft

systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes.
Purpose
OIASs purpose is to help ensure:
Risks are appropriately identified and managed
Programs, plans, and objectives are achieved
Significant financial and operating information is accurate, reliable, and timely
Resources are acquired economically, used efficiently, and adequately safeguarded
Employees actions are in compliance with policies, standards, procedures, and applicable
laws and regulations
Quality and continuous improvement are fostered in the States internal control process
Significant legislative or regulatory issues impacting the State are addressed appropriately
Interaction with the various governance groups occurs as needed
Statutory Mandates
With respect to its 2016 Plan, OIAS meets the statutory mandates of the required internal audit
functions as defined in Michigan Compiled Laws (MCL) Section 18.1486, as amended by Section
18.46. These mandates include:
1. Receive and investigate any allegations that false or misleading information was
received in evaluating a principal departments internal accounting and
administrative control system or in connection with the preparation of the biennial
report on the system
Assessment: OIAS has an established process to investigate any allegations with respect
to false or misleading information. OIAS, where applicable, collaborates with the
Attorney General and Inspector Generals of select departments to ensure any allegations
are properly addressed. In addition, departments will next report on their system of
internal control in May 2017, and related OIAS efforts will be included in the 2017 Plan.
2. Conduct and supervise audits relating to financial activities of a principal
departments operations
Assessment: OIAS, in conjunction with the principal departments, has included audits
of financial activities in its Plan. In addition, OIAS will conduct select financial activities
with respect to the States Comprehensive Annual Financial Report (CAFR).
3. Review existing activities and recommend policies designed to promote efficiency in
the administration of a principal departments programs and operations
Confidential
Draft

Assessment: OIAS, in conjunction with the principal departments, has built a detailed
Plan with the intent of recommending policies designed to promote efficiency and
effectiveness in the departments programs and operations.
4. Recommend policies for activities to protect the States assets under the control of a
principal department, and to prevent and detect fraud and abuse in the principal
departments programs and operations
Assessment: OIAS advises principal departments on policies to protect the States assets
and assesses the risk for fraud and abuse during our engagements. Additionally, OIAS
discusses fraud and abuse risk factors in our ongoing interaction with stakeholders and
has integrated the Committee of Sponsoring Organizations of the Treadway
Commissions (COSO) enhanced fraud risk assessment considerations into the statutorily
required enterprise-wide internal control evaluation (ICE) process.
5. Review and recommend activities designed to ensure that a principal departments
internal financial control and accounting policies are in conformance with applicable
accounting directives
Assessment: OIAS, in conjunction with the principal departments and the Office of
Financial Management (OFM) within SBO, has built a detailed Plan with the intent of
recommending policies designed to promote internal financial control and ensure
departments accounting policies comply with applicable OFM accounting directives.
6. Provide a means to keep the State Budget Director and the head of a principal
department fully and currently informed about problems and deficiencies relating to
the administration of the principal departments programs and operations, and the
necessity for, and progress of, corrective action
Assessment: On a weekly basis, the Chief Internal Auditor meets with the State Budget
Director to ensure that the Director is fully informed regarding enterprise risk and
internal control. In addition, the Chief Internal Auditor will meet quarterly with the newly
formed Risk Committee for the 2016 fiscal year. OIAS has a process to identify internal
control weaknesses and to assess the principal departments plans for remediation. OIAS
uses this information in the annual planning process and when conducting individual
engagements. Finally, a primary purpose for communicating our engagement results is to
keep our various stakeholders informed about new problems and deficiencies.
7. Conduct other audit and investigative activities as assigned by the State Budget
Director
Assessment: The engagement plan includes the audits and investigative activities
identified by our departmental stakeholders as well as the State Budget Director.
Confidential
Draft

8. Prepare biennial reports for principal departments regarding their ICE results
Assessment: OIAS meets this statutory requirement in odd numbered years. The next
reporting date is May 1, 2017, and related OIAS efforts will be included in the 2017 Plan.
OIASs 2016 Plan includes several engagements to improve the biennial reporting
process. The Plan also includes Strategic and Operational Excellence and several process
review engagements designed to make further improvements to internal control
documentation associated with departments evaluation activities.
9. Report immediately to the State Budget Director and the principal department head
if the internal auditor becomes aware of particularly serious or flagrant problems,
abuses, or deficiencies relating to the administration of programs or operations of a
principal department or agencies within the department
Assessment: As a normal course of business, departments periodically inform OIAS of
potentially serious or flagrant problems, abuses, or deficiencies. OIAS engagements
include steps designed to identify these types of serious issues. OIAS practice is always to
conduct necessary investigative and inspection procedures pursuant to professional
standards to substantiate that issues have or have not occurred, at which point our
standard protocol is to report immediately to the State Budget Director and the principal
department head.
10. Further, the statute requires internal auditors to adhere to appropriate professional
and auditing standards in carrying out any financial or program audits or
investigations
Assessment: OIAS adheres to the International Standards for Professional Practice of
Internal Auditing (IIA Standards). Those Standards require that the Chief Internal
Auditor develop and maintain a Quality Assurance and Improvement Program (QAIP)
that covers all aspects of the internal audit activity. Standards further require that the
QAIP must include both internal and external assessments. OIAS meets the internal
assessment by performing ongoing monitoring of its internal audit activities and by
performing periodic self-assessments. OIAS meets the external assessment by
performing an internal assessment with independent external validation every five years.
OIASs most recent review was performed by Experis Finance, who conducted an
independent validation of the OIAS quality self-assessment. On September 27, 2012,
Experis Finance concluded and issued an opinion that overall OIAS generally conforms,
which is the highest rating. Our next external assessment is planned for 2017.
Confidential
Draft
Governance and Risk Management Approach

Effective governance is based on establishing a framework that supports the activity of the State in
achieving its objectives. A robust framework defines the limits of acceptable behavior without
limiting innovation. The States governance structure includes the newly formed Enterprise Risk and
Control Committee and its corresponding Lines of Defense.
Enterprise Risk and Control Committee

On September 21, 2015, State Budget Director John Roberts and Chief Internal Auditor Jeff
Bankowski recommended to Governor Rick Snyder the creation of an Enterprise Risk and Control
Committee for the Executive branch. Based on leading practices and Good Government
constructs, the State Budget Director indicated accountability and customer engagement would
increase through a more robust and cross-functional discussion with quarterly monitoring from an
engaged stakeholder group. The Risk Committee assists the State Budget Director and Chief
Internal Auditor in prioritizing limited OIAS resources.
Enterprise Risk and Control Committee Members

Chairperson John Roberts State Budget Director
Committee Members (Representing the Governors Executive Groups):
Rich Baird Governors Executive Office
David Behen Value for Money Government
Nick Lyon People
Jamie Clover Adams Quality of Life
Mike Zimmer Economic Strength and Office of Good Government
Confidential
10
Draft
Lines of Defense Model
Risk assessment and internal audit are integral parts of the governance framework. This framework
has three main elements, or lines of defense, all of which combine to provide the Risk Committee,
as the Governing Body, with assurance that the State is effectively managing risk as depicted below:
The first line of defense rests with the department and agency operations and management
that perform the day-to-day risk management activity, largely through established processes
and project management controls.
The second line of defense is held by the oversight functions within the State at the
administrative level in such areas as legal, finance, budget, compliance, quality, and
information technology. They provide guidance to the business on risk areas where policies
and procedures are necessary.
Internal Audit forms the third line of defense, offering independent oversight and assurance
that the processes in the first two lines of defense are operating effectively.
Other assurance providers are depicted such as External Audit (OAG) and Federal
Regulators. These entities, although separate from the Executive Branch, provide
information, assurance and coverage that the State is operating as intended.
Each line of defense provides information to Senior Management and the Governor to help
monitor operations and maintain stewardship responsibilities to its citizens. Consistent with leading
practices, the work of OIAS should address the gaps in the assurance effort rather than replicating
management activity or that of the other providers. At the same time, however, OIAS should
provide objective monitoring with regard to the effectiveness of management and their processes.
Confidential
11
Draft
Plan of Engagements Methodology

The OIAS planning methodology considers the three lines of defense of the governance framework
and its Internal Audit Methodology to focus on areas of high agency risk and areas of concern while
not replicating the assurance provided by others.
Focusing on Risks and Associated Mitigating Actions Is Fundamental in the

Formation of the 2016 Risk Assessment and Plan of Engagements
Key Stages in the Approach
Benefits
Define engagement parameters
Effective and efficient engagement with an
emphasis on leading practices
Examine the key strategic drivers of
each agency in order to identify
Coordinates with OAG to ensure maximum
significant risks
reliance and reduction of duplicate effort
Identify the processes used to manage
Transparent reporting
key risks
Prompt response to emerging issues
Leverage Strategic and Operational
Valuable feedback and advice
Excellence
Assessment of control design/effectiveness
Follow a top-down/risk based review
Aligns internal audit efforts with key
Allocate resources to the greatest risk
processes identified in ICE
Initial review and monitoring of
Monitoring of compliance with critical
current risk mitigation activities
programs and operational excellence policies
Engagement on assessing controls
Continuous improvement on ideas that can
Report and follow-up
help manage risk and improve performance
Confidential
12
Draft
Preparing for the Risk Assessment and Plan of Engagements

OIAS performed a preliminary risk assessment on behalf of Senior Leadership of the Executive
Branch to develop the 2016 Plan. The risk assessment process involves ongoing interaction with
our stakeholders and a formal process to review current documentation. These documents
included, but were not limited to the following:
2014 State of Michigan Comprehensive Annual Financial Report (SOMCAFR)
2014 Statewide Single Audit Report and related corrective action plans
2015 Appropriation Acts
2015 SIGMA IT revised implementation plan and Project Charter
Documentation for Departments 2015 Biennial Report on their Internal Control
Evaluation (ICE)
Michigans 10-Point Reinvention Plan
Department strategic plans, program changes, and related scorecard/metrics
DTMB Call for Information Technology (IT) Projects for FY15
2015 List of Material Weaknesses and related corrective action plans
State of Michigan RED CARD IT services associated with critical business functions
Subsequent to the review of the aforementioned documentation, OIAS requested feedback on risks
and opportunities in each Executive branch department. Cabinet members, department leadership,
and other stakeholders provided this feedback. See Appendix A Department Risk
Assessment/Heat Maps for further details.
Consideration of Information Technology Processes
The Department of Technology, Management and Budget (DTMB) is the States Executive branch
IT service provider and serves as the general contractor between the States information technology
users and private sector IT service providers. DTMB is responsible for establishing and coordinating
the technological direction of the State. In doing so, DTMB works with State departments and
agencies to ensure a secure and effective operating environment for the States Information
Technology infrastructure.
DTMB also has primary responsibility for establishing, maintaining, and monitoring internal control
over the States IT environment (general controls) and supporting processes. However, some
aspects of the States general controls are not implemented enterprise-wide; instead, they are
established and maintained at the department business process-level based on guidance issued by
DTMB. As a result, DTMB and departments share responsibility for designing, implementing, and
performing business process-level control activities and assessing its control effectiveness.
Confidential
13
Draft

Departments, as the IT application and data owners, have primary responsibility for designing,
implementing, and conducting application specific internal control (ASCs) and assessing its
effectiveness.
Historically, OIAS assurance coverage of IT issues involved enterprise-wide evaluations of general
control processes (e.g., Web application security, Oracle database administration) and DTMBs
progress at remediation. OIAS completed assessments in 2010 and 2015, and provided overall
conclusions for DTMBs process capability maturity for key theme areas, including IT security
program, System access, statewide continuity planning, change control/management, and IT
contracting practices. In response to these two assessments, DTMB included in its 2015 Call for
IT Projects the need to address theme area control remediation as a project. The vision for this
project is to embed into DTMBs management process an ongoing assessment of control
effectiveness for the identified theme areas and underlying unresolved material weaknesses.
For the upcoming fiscal year, OIAS engagements associated with IT topics will involve follow-up of
previous control issues classified as material weaknesses. Of the 106 material weaknesses considered
in this plan development cycle through September 30, 2015, 18 were associated with IT related
issues. OIAS classified nearly all of the IT material weaknesses as medium or high-risk based on the
defined criteria. These insights highlight both the importance and pervasiveness of IT technology
across the enterprise. Due to the importance of IT from a risk and control perspective, OIAS plans
to participate on the DTMB Theme Area Control Remediation Project, and as a subject matter
expert on controls for the SIGMA IT project. Specifically, OIAS has allocated 2.5 full time
resources to the SIGMA project during the 2016 fiscal year.
Red Card
The States Red Card is a listing of services/applications the State agencies, in conjunction with
DTMB, have identified as critical and require significant priority for business resumption
procedures. In planning new engagements and follow up of agency remediation efforts, OIAS
considered the Red Cards services/applications in its holistic view of risks.
Office of the Auditor General Collaboration
On June 24, 2015, the OIAS and OAG signed a Memorandum of Understanding (MOU) that
outlined several planned activities to begin collaboration on assurance efforts and to reduce
duplication of effort in accordance with the three lines of defense model. To that end, on October
26, 2015, OIAS leadership met with the Auditor General and Deputy Auditor General to discuss
our current risk assessment and planned activities. See Appendix A for heat map assessments that
include the OAGs past and current audit efforts.
Due to its interconnecting roles, OIAS and OAG will continue to collaborate within the limits of
their respective organizations charters, professional standards, and statutory mandates to minimize
Confidential
14
Draft

the duplication of effort and to foster an effective working relationship for the benefit of the
Executive branch departments, agencies, and the citizens they serve.
Office of Good Government Collaboration
Governor Snyder created the Office of Good Government (OGG) during his first term. OGG
provides strategic direction and training on programs that include employee engagement, change
management, service/process optimization, and performance management. Ultimately, the goal of
OGG is to create an efficient, effective, transparent, accountable, and customer-centered State
government.
Many of the goals of OGG regarding efficiency and effectiveness are
similar to those of OIAS. Thus, both entities have committed to
collaborate regarding various initiatives. To further strengthen the linkage,
John Roberts, the State Budget Director, and Director Mike Zimmer of
Licensing and Regulatory Affairs (LARA), are members of both the Good
Government Committee and the Enterprise Risk and Control Committee.
During its 2016 Risk Assessment and Plan of Engagements process, OIAS
and OGG collaborated, where applicable, to discuss opportunities and gain synergies in its
consulting efforts to further support process improvement in the State. See details below for further
discussion regarding OIASs and OGGs combined roles in Strategic and Operational Excellence.
OAG Material Weaknesses Evaluation
In May 2015, OIAS initiated an analysis and roll up of material internal control weaknesses included
in audit reports issued beginning October 1, 2012. A material weakness is defined as a matter that,
in the auditors judgement, is more severe than a reportable condition and could impair the ability of
management to operate a program in an effective and efficient manner and/or could adversely affect
the judgement of the interested person concerning the effectiveness and efficiency of the program.
We evaluated the current status of material weaknesses and collaborated with the OAG on plans to
conduct follow-up engagements for the purpose of assessing implementation of corrective actions
intended to remediate the material weaknesses and to offer consultation for any design deficiencies
identified. OIAS classified the material weaknesses as high, medium, or low risk based on
consideration of several quantitative and qualitative factors. These assessments are included in
Appendix C - Listing of Material Weaknesses. Our Plan includes those material weaknesses we
intend to either follow-up and validate remediation results, or to consult on the sufficiency of the
planned efforts.
OIAS also included in its initiatives in fiscal year 2016 enhancements to our audit repository process
(Teammate) for reconciling material weaknesses with the OAG. These enhancements are intended
to enhance the audit planning process and reporting on the status of known material weaknesses.
Confidential
15
Draft
Look Back Analysis / Project Carryforward

Since
years.
July 2015, OIAS has concentrated its efforts to finalize all engagement activities for prior
As of October 30, 2015, only four engagements remain open:
DEQ SAW Grant Program Administration
DOC Service Contract Consult
DHHS Data Consult
DTMB Enterprise Architecture
Project Selection and Prioritization Process
OIASs development of its annual risk-based Plan is a multi-step iterative process. OIAS first
identified and conducted a risk assessment of the States auditable entities. To ensure selection of
highest risk and value-added projects, OIAS mapped each identifiable business component to the
departments critical assessable units identified during the 2015 ICE cycle. In addition, OIAS
identified other factors such as departmental scorecard/metrics, major federal programs, significant
contracts, information systems, management concerns, and reported material weaknesses associated
with each critical assessable unit.
OIAS based the number of projects selected for inclusion in the Plan on factors such as the impact
the project may have (the problem or risks it addresses and the likely types of opportunities for
improvement that may result); the sensitivity, complexity, and difficulty of the project compared to
its likely impact; the amount of audit coverage already being provided by OAG and other
department audit functions; OIAS staff qualifications; and available resources. In addition, the Plan
includes several entity-wide projects selected for the opportunity to address common high-risk areas
across the organization.
OIAS recently participated in a benchmarking review with various third parties including internal
audit teams from Blue Cross Blue Shield, Accident Fund, and the State of Ohio. Additionally, OIAS
engaged DTMBs Office of Performance Management in October for a lean review of its audit
planning methodology. These efforts are planned into January 2016, and are included in our Plan of
Engagements. All of the initiatives discussed are intended to expand OIASs capability to move
towards higher risk engagements with narrower scope. This effort will allow for quicker turnaround
times and enable a timely response to identified issues. However, some projects are inherently
complex and require additional time for OIAS to provide quality results and to comply with IIA
Standards.
OIASs available resources limit the number of projects that can be completed each year. As a
result, there may be a number of high-risk areas that are not addressed by the Plan.
Confidential
16
Draft
Risk Factors
OIAS used eight factors to assess the risks associated with the States auditable entities. Risk factors
were scored based on likelihood of the risk and the impact of the event. Weights were assigned to
the various risk factors to calculate a composite risk score and initial heat maps for each auditable
entity. The heat maps were further adjusted based on agency leadership feedback and OIASs
professional judgment. Using this information, OIAS further determined areas to prioritize and
provide to the Risk Committee for review.
Risk Factors and Associated Weights
Risk Factor
Management Concerns
Importance of
Business Objective to the
State's Overall Mission
Weight
150%
100%
The impact of the auditable activity in relation to the

State's overall mission, goals, and strategic plan.
Control Environment
100%
Measure of program area's overall attitude toward

maintaining a sound system of internal control.
Known Material
Weaknesses to Be
Followed Up
100%
Measure of existing material weaknesses or engagements

that require follow up.
Dollar Amount
Supported Through
Activity
70%
Regulatory /
Legal Requirements /
Federal Funding
65%
Maturity of Business
Process
60%
Exposure Risk
50%
Confidential
Description
Management concerns or other known issues.
Measure of the exposure or loss related to the amount of

money supported through the business objective.
Over $500 million = 5
$250 million to $500 million = 4
$15 million or less = 1
Measure of exposure, loss or regulatory sanction due to
complexity and volume of regulations, penalties for
noncompliance, and the amount of federal funding.
Measure of various factors including: changing processes;
established policies and procedures, adequate resources,
program staff training, experienced managers, program
performance measurements.
Measure of exposure, loss or sensitivity based on the
visibility of business objective by the legislature, special
interest groups or public interest.
17
Draft
Planned Engagements
The following schedule represents planned engagement areas based on an evaluation of agency audit
priorities from heat maps, discussions with agency management, and available resources.
OIAS, in consultation with the Risk Committee, may revise projects and schedules of the Plan.
The OIAS level of effort included in the Plan is generally categorized as follows:
Small less than 300 hours
Medium between 300 and 500 hours
Large between 500 and 800 hours
The planned areas for fiscal year 2016 include:
#
Department
Engagement Area
Level of
Type of
Effort Engagement
Description of Engagement Scope
Value for Money Government and Treasury

Develop scope for SOC1 and SOC2 reports of
Office of Financial Services
Small
Consulting
Chase bank activities.
Develop/evaluate process for managing City of
Tax Processing and Office of Financial
Detroit income tax processing. Will be used by
Medium Consulting
Services
City's external auditors.
Treasury
Treasury
Treasury
Collections
Small
Follow Up
Accounts Receivable material weakness.
Treasury
Collections
Large
Consulting
Process review in coordination with LEAN

activities, and consult on several OAG material
weaknesses.
Treasury
Local Government
Small
Follow Up
Performance process review.
Treasury
Local Government
Small
Follow Up
OAG audit of Principle Residence Exemption

material finding.
Treasury
Critical Assessable Unit (CAU)

to be determined
Medium
Consulting
Process review.
Treasury
Local Government
Medium
Consulting
Essential Services Assessment process review.
Treasury
Lottery - iLottery
Medium
Assurance
Review application controls.
10
CSC
Office of Compliance
Medium
Follow Up
Monitoring and CQI Process Review.
11
DTMB-MB
Office of Support Services
Medium
Assurance
12
DTMB-MB
Office of Retirement Services
Small
Consulting
Confidential
18
Assist in contract oversight with VTS contracts,

primarily on-site visit with Wheels, Inc. to review
contract pricing documentation.
Year-end closing review, in support of SOM
CAFR.
Draft

#
Department
Level of
Type of
Effort
Engagement
Participate on Purchasing process improvements
and monitoring activities and consult on the
development of the Enterprise Procurement
Office of Procurement
Small
Consulting
Policy Manual. Includes three OAG material
findings.
Review vendor file controls designed to prevent
SBO - OFM/Statewide Single
Small
Consulting
unauthorized changes.
Consult on the IT Theme Area Project. This
IT Mgmt., IT Tech Infrastructure, IT
DTMB project is intended to implement an
Medium Consulting
Apps, Cybersecurity
enterprise control and monitoring solution for
common IT internal control weaknesses.
Engagement Area
13
DTMB-MB
14
DTMB-MB
15
DTMB-IT
16
DTMB-IT
IT Mgmt., IT Apps
Medium
Follow Up
Enterprise data warehouse material findings.
17
DTMB-IT
IT Mgmt., IT Apps
Small
Consulting
Propose enhancements to SUITE for the

development of IT internal control
design/evaluation methodology.
18
DTMB-IT
IT Mgmt., IT tech infrastructure, IT

apps, Cybersecurity
Small
Consulting
Enterprise Cybersecurity consulting project.
19
Statewide
ICE
Large
Consulting
Implement voice of customer and changes to the

internal control evaluation (ICE) process.
20
Statewide
Statewide
Medium
Assurance
Statewide fraud reporting project
Consultation on the Enterprise Information

Management (EIM) project, monitoring
Continuous Monitoring through Data
performance of data analytics system, and internal
Large
Consulting
Analysis (CMDA)
training to OIAS staff on data analytics
techniques.
Quality of Life and Economic Strength
Review design of department-wide infrastructure
Department-wide Grants
Large
Consulting
for administering State/Federal grants, and
Management
identify leading practices.
Assess implementation of SAW grant program,
SAW Grant Administration
Medium Assurance
status of grant activity.
Process mapping and review design of internal
Underground Storage Tank Authority Medium Consulting
control consult.
21
Statewide
22
DNR
23
DEQ
24
DEQ
25
DTED
Community Ventures Program
Medium
Consulting
Review outcome information and update data.
26
DTED
Michigan Strategic Fund/Michigan

Economic Development Corporation Medium
- Controls over Federal Compliance
Consulting
Review design of internal control over federal

compliance, and identify leading practices.
Confidential
19
Draft

#
Department
Level of
Type of
Effort
Engagement
Quality of Life and Economic Strength
Unemployment Insurance Agency
(UIA) - Unemployment Insurance
Four material findings the OAG reported in
Benefit Overpayments and
Large
Follow Up
March 2011.
Nonmonetary Eligibility
Determinations
UIA - Collection of Delinquent
Two material findings the OAG reported in
Unemployment Taxes and
Large
Follow Up
January 2012.
Reimbursements
Engagement Area
27
DTED
28
DTED
29
DTED
Michigan Strategic Fund - Internal

Control over Financial Reporting
Medium
Consulting
Review design of internal control over financial

reporting, and identify leading practices.
30
LARA
Bureau of Professional Licensing Oversight of Health Professionals
Medium
Follow Up
Three material findings the OAG reported in

February 2015.
31
LARA
Bureau of Fire Services and the State

Fire Marshall
Large
Follow Up
Six material findings the OAG reported in April

2014.
32
LARA
Bureau of Community and Health

Systems - Health Facilities Division
Small
Follow Up
One material finding the OAG reported in

March 2014.
33
LARA
Bureau of Construction Codes
Small
Follow Up
Review of boiler and elevator inspections.
34
LARA

Systems - Adult Foster Care and
Homes for the Aged
Medium
Follow Up
Two material findings the OAG reported in May

2015.
35
LARA
Liquor Control Commission
Small
Follow Up
Review of license issuance.
36
LARA
Bureau of Services for Blind Persons
Small
Follow Up
37
MDARD
Food and Dairy Division
Medium
Assurance
People,
Office of Great Start - Child Care
Development Fund
Development Fund
Development Fund
Health and Education
38
MDE
Large
Follow Up
39
MDE
Large
Follow Up
40
MDE
Medium
Consulting
41
MDE
Administration and Support Services
Medium
Consulting
42
DHHS
Field Operations - Office of Child

Support
Medium
Assurance
43
DHHS
Michigan Children's Services Agency Medium

Children's Advocacy Center
Assurance
44
DHHS
Medical Services Administration

(MSA) - Medicaid
Consulting
Confidential
Medium
20
Review of equipment inventory and operators'

monthly reports.
Review implementation of Operational
Excellence.
Two material findings the OAG reported in July
2013 report.
One material finding the OAG reported in July
2013 report.
Map processes and key controls across multiple
departments covered by the program.
Financial Review of State Aid and Federal Grant
accounting practices.
Child Support Accrual Review
Review select expenditures from the FY15
Children's Advocacy Center Fund to support
accuracy of financial statements.
FY15 Medicaid Accrual-Review of select accruals
for accuracy of calculations.
Draft

#
Department
Engagement Area
Level of
Type of
Effort
Engagement
People, Health and Education

Evaluation of CAPS and Quarterly Status Update
on three material findings the OAG reported in
the July 2013 report-Q1 - Q4.
Quarterly Evaluation of CAP and status for one
material finding the OAG reported in July 2013
report.
2013 report.
Quarterly Status Update on 6 material findings
the OAG reported in the July 2013 report - Q1Q4.
2013 report.
Process mapping - How TANF funding is used
and distributed to other MDHHS programs, subrecipients and other state departments.
Process Mapping-Obtain understanding and map
processes and responsibilities related to child
welfare programs.
EMS personnel and equipment compliance
review.
Special Request Regarding Children's Services
Agency.
45
DHHS
IT and Project Management - Bridges Large
Follow Up
46
DHHS

(MSA) - Home Help
Medium
Follow Up
47
DHHS

(MSA) - Home Help
Large
Follow Up
48
DHHS
Aging and Adult Services - Adult

Protective Services
Large
Follow Up
49
DHHS
Behavioral Health - Center for

Forensic Psychiatry
Medium
Follow Up
50
DHHS
Field Operations - Temporary

Large
Assistance for Needy Families (TANF)
Consulting
51
DHHS
Michigan Children's Services Agency Large

Business Service Centers
Consulting
52
DHHS
53
DHHS
54
DOC
55
DOC
Application Control
Medium
Consulting
Review application controls.
56
DOC
OMS User Profiles
Medium
Follow Up
Application Control Review.
57
DOC
IT General Business Process
Small
Consulting
Review IT general business process.
58
DOC
Prisoner Time/OMS Development
Large
Assurance
59
DOC
Contract Risk Assessment
Small
Consulting
60
DOC
Contract Monitoring
Medium
Assurance
61
DOC
Accounts Payable
Medium
Assurance
62
MSP
Forensic Science
Small
Follow Up
Confidential
Population Health - Emergency

Large
Assurance
Medical Services
Michigan Children's Services Agency Small
Consulting
Child Care Fund
Public Safety
Prisoner Medical Offsite Service
Medium Follow Up
Charges
21
Follow up to ensure DOC has adequate billing

controls.
Test manual key controls over time

computations.
Assist DOC is setting up a risk based contract
monitoring methodology.
Test key controls performed by contract
compliance inspectors.
Test key controls performed by accounts
payable staff.
Forensic Science Application Control Review.
Draft

#
Department
Engagement Area
Level of
Type of
Effort
Engagement
Public Safety

Participate with LEAN team to add insight
regarding key controls over new gun registration
process.
Review corrective action to ensure accurate
registration fees for commercial vehicles.
63
MSP
LEAN Gun Registration
Small
Consulting
64
State
Registration Fee
Small
Follow Up
65
State
User Controls
Medium
Consulting
Assist DOS with general controls review.
66
DMVA
Tuition Assistance
Small
Assurance
Test compliance with statute.
67
DMVA
Veteran Service Organization
Medium
Consulting
Assist MVAA in designing effective monitoring

over veteran service organization contracts.
Summary of Planned Engagements by Type and Agency
Department
CSC
DEQ
DHHS
DMVA
DNR
DOC
DTED
DTMB-IT
DTMB-MB
LARA
MDARD
MDE
MSP
DOS
Statewide
Treasury
Grand Total
Confidential
Type of Engagement
FollowUp
Assurance Consulting
1
1
1
3
4
5
1
1
1
3
3
2
3
2
3
1
1
3
7
1
2
2
1
1
1
1
1
2
1
5
3
12
30
25
22
Grand
Total
1
2
12
2
1
8
5
4
4
7
1
4
2
2
3
9
67
Draft
Strategic and Operational Excellence
During August 2015, Contract No. 071B5500121 was executed between the State of Michigan and
The McDonnell Company, LLC to implement Operational Excellence with OIAS and the OGG
assigned as program managers to the enterprise contract. Subsequently in September 2015, the
program was expanded to include PwC and Mass Ingenuity for Strategic Excellence with OGG as
the lead program manager with advisory support from OIAS.
Both programs work in tandem with the intent of creating strategic and operational alignment for
lasting cultural change in State government. The combined program leverages a top-down
(strategic excellence) and bottom-up (operational excellence) approach to implement the
Governors vision of excellence for the State.
OIAS plays a critical oversight role in the program and has built detailed assessment into the Plan to
incorporate this effort. The intent of the Plan is to be flexible and aligned with Strategic Excellence
to focus engagement effort on the core processes of State government that must work well to drive
the States key outcomes. OIAS will also opine on documentation of core processes and
effectiveness of related controls through a review of process measures, targets, and outcomes as
defined on the Governors Fundamentals and Strategy Maps, which will be completed by February
2016.
Strategic and Operational Excellence Work in Tandem
Confidential
23
Draft
APPENDIX A - DEPARTMENT HEAT MAPS

Organized by Governors Executive Grouping
Technology, Management, and Budget
Treasury, includes Lottery and Gaming Control Board
Civil Service
Economic Strength
Talent and Economic Development
Licensing and Regulatory Affairs
Insurance and Financial Services
Transportation*
Quality of Life
Michigan Department of Agriculture and Rural Development
Environmental Quality
Natural Resources
People
Health & Human Services
Civil Rights
Public Safety
Corrections
Michigan State Police
Military and Veterans Affairs
Other Executive Branch Departments
Michigan Department of Education
Secretary of State
Attorney General
*Department of Transportation is statutorily separate and not audited by OIAS
Note: Reflected on subsequent pages (Pages 25 41), program size is characterized by an alphabetic letter
to correspond to range of appropriation and/or dollars supported through the activity. For simplicity, the
index is included here and intentionally not duplicated on each heat map.
Program Size
Over $500 million = A
$250 million to $500 million = B
$100 million to $250 million = C
$15 million to $100 million = D
$0 to $15 million = E
Confidential
24
Draft
Technology, Management and Budget

(DTMB)
On September 16, 2015 and October 14, 2015, Chief Deputy Director Brom Stibitz, Deputy Director Phil Jeffery,
Financial Services Director Mike Gilliland, and John Juarez, Compliance Officer, met with Jeff Bankowski, and Rick
Lowe of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.
HIGH
Frequent
5
Likely
Likelihood
7
MEDIUM
9
Possible
10
17
LOW
Unlikely
12
13
14
15
16
11
Rare
Incidental
Minor
LOW
Moderate
Major
Extreme
HIGH
MEDIUM
Impact
Risk Universe / Business

Components
OAG Material Weakness

Program Size
Operations
IT Related
Cybersecurity and Infrastructure

Protection
IT Applications
IT Technical Infrastructure
IT Management
IT External Controls
DTMB Procurement
Office of Retirement Services
Statewide Single Audit
20
Office of Support Services (includes

VTS, Logistics, and Operations)
10
Building Operations
11
State Budget Office - Other
12
Design and Construction
13
Office of the State Employer
14
Labor Market Information and

Strategic Initiatives
15
Real Estate
16
Office of Children's Ombudsman
17
Office of Organization and

Performance Measurement
IT - Business Process General Controls
IT - Application Control
Total FY16 Appropriations

Total # of Material Weaknesses
Confidential
Recent Audits/Engagements
(FY13, FY14, FY15)
OAG
OAG Work in
Process
OIAS Planned
Engagements
OIAS
$1,195,329,600
25
25
Draft
Treasury
On September 22, 2015 the Treasurer and Deputy Treasurers met with Jeff Bankowski, Rick Lowe, and
Stacey Bliesener of OIAS. On September 28, 2015 the Lottery Commissioner met with Sandy Streb and Sherri
Washabaugh of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.
HIGH
Frequent
1
Likelihood
Likely
2
8
MEDIUM
7
Possible
14
11
10
12
Unlikely
13
LOW
Rare
Incidental
Minor
LOW
Moderate
Major
Extreme
HIGH
MEDIUM
Impact

Components
Recent Audits/Engagements (FY13,

FY14, FY15)
Program Size
Collections
Tax Processing
Investments
Financial Services
Local Government Services
Lottery
Office of Privacy and Security
Office of Dept Services
Gaming Control Board
10
Tax Compliance
11
Office of Revenue and Tax Analysis
12
Bureau of State and Authority Finance
13
Tax Policy
14
Student Financial Services Bureau
Operations
IT Related
OAG
OAG Work in
Process
OIAS


Confidential
$1,945,052,200
3
26
Draft
OIAS Planned
Engagements
Civil Service Commission

(CSC)
On October 12, 2015, OIAS shared with key leaders at the Civil Service Commission (CSC) our Heat Map and
planned engagement description, inviting their review and feedback. Key leaders included in the
correspondence included: Matt Fedorchuk, Chief Deputy Director, Carol Vargovich, Chief Financial Officer, and
Mike Winters, Audit Liaison. The only planned engagement involves a follow-up of remediation efforts
associated with a prior OIAS audit of the Office of Compliance. CSC representatives did not provide any
feedback necessitating adjustment to our plans.
Frequent
HIGH
Likelihood
Likely
MEDIUM
Possible
Unlikely
7
LOW
Rare
Incidental
Minor
Moderate
LOW
Major
MEDIUM
Extreme
HIGH
Impact

#

Components
(FY13, FY14, FY15)
Program Size
Business Application Support
HR Statewide Activities (includes Civil

Rights, Civil Service, DCH, DOC,
Gaming, DHS, LARA, Lottery, DMVA,
Quality of Life, MSP, DTMB, MDOT,
Treasury, and MDE)
Benefits
Compliance
Disability Management Office
Compensation
Personal Services Review
Operations
IT Related
OAG
OAG Work in
Process
OIAS


Confidential
$67,894,100
27
Draft
OIAS
Planned
Engagements
Department of Talent and Economic Development

(DTED)
On September 1, 2015 Director Steve Arwood and Chief of Staff Greg Tedder of DTED, met with John
Roberts, State Budget Director, and Jeff Bankowski and Bryan Weiler of OIAS. We discussed the risk
assessment/ heat map and outcome analysis presented below.
Frequent
HIGH
1
Likely
Likelihood
2
3
MEDIUM Possible
4
Unlikely
LOW
Rare
Incidental
Minor
Moderate
LOW
Extreme
Major
MEDIUM
HIGH
Impact

#

Components
Recent (FY13, FY14, FY15)

Audits/Engagements
Program Size
Operations
Unemployment Insurance Agency
Talent Investment Agency
MSF/MEDC
MSHDA
IT Related
OAG
OAG Work in OIAS Planned

Process
Engagements
OIAS
IT - Business Process General


Confidential
$1,153,023,500
9
28
Draft
Licensing and Regulatory Affairs

(LARA)
On September 30, 2015 Director Mike Zimmer and Deputy Director/Chief Financial Officer Allan Pohl
of LARA, met with Jeff Bankowski, Bryan Weiler, and Paul Jacokes of OIAS. We discussed the risk
assessment/ heat map and outcome analysis presented below.
Frequent
HIGH
3
Likelihood
Likely
11
MEDIUM
Possible
12
Unlikely
10
LOW
13
Rare
Incidental
Minor
LOW
Moderate
Major
MEDIUM
Extreme
HIGH
Impact

#

Components
Program Size
Operations
1
2
3
4
Fire Services
Professional Licensing

Systems
Michigan Agency for Energy and
Public Service Commission
(FY13, FY14, FY15)
Construction Codes
Adjudication (MAHS - MI Admin

Hearing System)
Liquor Control Commission
Worker's Compensation Agency
MIOSHA (incl. Wage and Hour)
10
Bureau of Services for Blind Persons
11
Bureau of Securities and

Corporations
12
Employment Relations
13
Finance and Administrative Services
IT Related
OAG
OAG
OIAS Planned
Work in
Engagements
Process
OIAS


Confidential
$407,649,000
15
29
Draft
Michigan Department of Insurance and Financial Services

(DIFS)
On October 7, 2015 Director Pat McPharlin, Chief Deputy Director Teri Morante, and Chief Financial
Officer Penny Wright of DIFS, met with John Roberts, State Budget Director, Jeff Bankowski and Bryan
Weiler of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.
HIGH
Frequent
Likelihood
Likely
MEDIUM
Possible
2
LOW
Unlikely
Rare
Incidental
Minor
Moderate
LOW
Extreme
Major
MEDIUM
HIGH
Impact

#

Components
Program Size
Offices of Banking and Credit

Unions
Insurance Regulation
3
4
Offices of Consumer Services and

Consumer Finances
Executive Direction and Department
Services

Confidential
(FY13, FY14, FY15)
Operations
IT Related
OAG

Process
Engagements
OIAS
E
D
$65,057,700
30
Draft
Michigan Department of Agriculture & Rural Development

(MDARD)
On October 8, 2015 Director Jamie Clover Adams, Director of Strategy and Business Performance Ken
McFarlane, and Chief Financial Officer David Bruce, of MDARD, met with Bryan Weiler and Carol O'Callaghan
of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.
Frequent
HIGH
Likelihood
Likely
MEDIUM Possible
4
7
Unlikely
6
LOW
8
Rare
Incidental
Minor
Moderate
LOW
Major
Extreme
HIGH
MEDIUM
Impact

#

Components
(FY13, FY14, FY15)
Program Size
Operations
Animal Industry Division
Departmentwide, Information and

Technology and One Time Basis
Food & Dairy Division
Pesticide Plant Management
Environmental Stewardship Division
Laboratory Division
Agriculture Development
Fair and Expositions
IT Related
OAG
OAG Work in
Process
OIAS


Confidential
$86,594,000
2
31
Draft
OIAS
Planned
Engagements
Department of Environmental Quality

(DEQ)
On October 28, 2015 Director Dan Wyant and Chief Deputy Director Jim Sygo of DEQ, met with Jeff
Bankowski, Bryan Weiler, and Carol O'Callaghan of OIAS. We discussed the risk assessment/ heat map
and outcome analysis presented below.
HIGH
Frequent
1
Likelihood
Likely
2
MEDIUM
Possible
10
LOW
Unlikely
Rare
Incidental
Minor
Moderate
LOW
Major
MEDIUM
Extreme
HIGH
Impact

#

Components
Program Size
Operations
1
2
Office of Drinking Water &

Municipal Assistance
Office of Waste Management &
Radiological Protection
(FY13, FY14, FY15)
IT Related
OAG
OAG Work in
Process
OIAS*
C
D
Water Resources Division
Remediation and Redevolpment

Division
Air Quality
Office of Great Lakes/Great Lakes

Initiative
Office of Oil, Gas, & Minerals
Executive, Administration, and IT
Law Enforcement Division
10
Office of Environmental Assistance

* OIAS completed consulting engagements related to subrecipient monitoring, mailroom and cash receipting, and invoicing that involved most of
DEQ's risk universe/business components

Confidential
$486,909,300
0
32
Draft
OIAS
Planned
Engagements
Department of Natural Resources

(DNR)
On September 25, 2015 Finance and Operations Division (FOD) Chief Sharon Schafer and FOD
Manager Amy Henderson, met with Bryan Weiler of OIAS. We discussed the risk assessment/ heat
map and outcome analysis presented below.
Frequent
HIGH
Likelihood
Likely
MEDIUM Possible
Unlikely
7
LOW
9
Rare
Incidental
Minor
Moderate
LOW
Major
MEDIUM
Extreme
HIGH
Impact

#
1
2
3

Components
Parks and Recreation

Department-wide Grants
Management
Forest Resources Division &
Minerals Management Section
Program Size
Wildlife Management
Law Enforcement
Finance & Operations Division

Confidential
OAG
OIAS
D
D
IT Related
Fisheries Division
Operations
OAG Work in
Process
Communication & Customer

Services
Executive Operations/Support
Services/Information Technology
(FY13, FY14, FY15)
D
D
$404,001,200
33
Draft
OIAS
Planned
Engagements
Department of Health & Human Services

(DHHS)
On October 4, 2015 Director Nick Lyon, Deputy Director Tim Becker, Senior Deputy Director of
Financial Operations Administration Farah Hanley, and Director of Bureau of Audit, Reimbursement
and Quality Assurance Pam Myers of DHHS, met with Jeff Bankowski, Mark Moeller, and Ed Brickner
of OIAS. We discussed the risk assessment/ heat map and outcome analysis presented below.
1
HIGH
Frequent
Likely
Likelihood
MOD
Possible
Unlikely
12
11
LOW
13
Rare
10
14
Incidental
Minor
LOW
Moderate
Major
MOD
Extreme
HIGH
Impact

Components
Program Size
Field Operations
Michigan Children's Services

Agency
IT and Project Management
Aging and Adult Services
6
7
Behavioral Health &

Developmental Disabilities
Population Health and
Community Services
Operations
Policy and Legislative
10
Component Unit - Early

Childhood Investment
11
Office of Recipient Rights
12
Inspector General
13
Legal Affairs Administration
14
External Relations and

Communications
OIAS
Other
(Dept/Fed)
1
3
$25,069,637,100
Confidential
OAG
OIAS
OAG Work in
Planned
Process
Engagement
s
Central Operations
IT Related
Recent Audits/Engagements (FY13, FY14, FY15)
12
34
Draft
Department of Civil Rights

(DCR)
On October 2, 2015 Deputy Director Leslee Fritz met with Kathy
Warner and Ed Brickner of OIAS. We discussed the risk assessment/
heat map and outcome analysis presented below.
Frequent
HIGH
Likelihood
Likely
MEDIUM Possible
Unlikely
LOW
1
Rare
Incidental
Minor
Moderate
LOW
Major
MEDIUM
Extreme
HIGH
Impact

Components
Program Size
Enforcements/Complaints Division
Operations
IT Related
(FY13, FY14, FY15)
OAG
OIAS

Process
Engagements


Confidential
$16,128,700
35
Draft
Department of Corrections
(DOC)
On September 15, 2015 Director Heidi Washington and Deputy Director Jeri-Ann Sherry, met with Jeff
Bankowski and Connie MacKenzie of OIAS. We discussed the risk assessment/ heat map and outcome
analysis presented below.
Frequent
HIGH
Likely
Likelihood
3
2
5
MEDIUM Possible
Unlikely
6
7
LOW
Rare
Incidental
Minor
Moderate
LOW
Major
MEDIUM
Extreme
HIGH
Impact
OAG Material Findings

#
Risk Universe/Business
Component
Recent (FY13, FY14, FY15)

Audits/Engagements
Program Size
Prisons
Prisoner Health Care, Food,

Transportation
Financial, budget, and IT
Offender Programming/Re-entry
Time Comp/Parole/Discharge
Parole and Probation Supervision
Pre-sentence Investigations
Operations
IT Related
OAG

Process
Engagements
OIAS


Confidential
$1,962,226,000
36
Draft
Michigan State Police

(MSP)
On September 3, 2015 Director Kristie Etue, Chief Deputy Director Shawn Sible, Internal
Control Officer Sherri Irwin, and Internal Control Coordinator Jacqueline Reese of MSP, met
with State Budget Director John Robers, and Jeff Bankowski and Connie MacKenzie of OIAS.
We discussed the risk assessment/ heat map and outcome analysis presented below.
Frequent
HIGH
Likelihood
Likely
MEDIUM
Possible
Unlikely
LOW
5
Moderate
Major
Rare
Incidental
Minor
LOW
MEDIUM
Extreme
HIGH
Impact

#
Risk Unit / Business Components
Program Size
Operations
Forensic Labs & Biometrics
Training, MCOLES, CJIC
Field Services (posts, uniform

services, criminal investigations)
Specialized Services (commercial

vehicle enf, special ops, EMHSD,
OHSP)
Support Services (fleet leasing, OJ

grants, ATPA, 911, secondary roads,
administrative, technology)
IT Related
OAG
OIAS
Federal


Confidential
$620,837,400
2
37
Draft
OAG
OIAS
Work in
Planned
Process Engagements
Department of Military and Veterans Affairs

(DMVA)
On September 25, 2015 Adjutant General Vadnais and Senior Deputy Director Russell Gullett of DMVA
met with Connie MacKenzie and Randy Shaffer of OIAS. We discussed the risk assessment/ heat map
and outcome analysis presented below.
Frequent
HIGH
2
Likelihood
Likely
3
MEDIUM
Possible
Unlikely
LOW
Rare
Incidental
Minor
LOW
Moderate
Major
Extreme
HIGH
MEDIUM
Impact

#
Risk Universe / Business Objective

OAG Work OIAS Planned
in Process Engagements
Program Size
Operations
Veteran Programs
Military Related
Administration and IT
IT Related
OAG
OIAS
Federal


Confidential
$166,953,700
8
38
Draft
Michigan Department of Education

(MDE)
On September 18, 2015 Deputy Superintendent Kyle Guerrant and Financial Officer Jane Schultz of MDE,
met with Kathy Warner and April Karns of OIAS. We discussed the risk assessment/ heat map and
outcome analysis presented below.
1
Frequent
HIGH
Likelihood
Likely
4
MEDIUM
Possible
5
Unlikely
LOW
Rare
Incidental
Minor
LOW
Moderate
Major
MEDIUM
Extreme
HIGH
Impact

#

Components
(FY13, FY14, FY15)
Program Size
Operations
Office of Great Start
Education Services
School Aid/Finance
Accountability Services
Administrative & Support Services
IT Related
OAG

Process
Engagements
OIAS


$14,202,205,500
7
Note: Governor Snyders Executive Order in March 2015 moved the School Reform Office to DTMB (which is included in
Education Services above); OIAS will address these risks and ensure applicable ICE documentation will be reflected in
DTMBs upcoming ICE cycle
Confidential
39
Draft
Secretary of State
(DOS)
On September 21, 2015 Deputy Director Rose Jarios and audit liaison Steve Stier of DOS met with
Connie MacKenzie and Daphne Hobson of OIAS. We discussed the risk assessment/ heat map and
outcome analysis presented below.
Frequent
HIGH
Likelihood
Likely
MEDIUM Possible
Unlikely
2
4
LOW
5
Rare
Incidental
Minor
Moderate
Major
Extreme
Impact

#
Components
Program Size
Operations
Driver/Vehicle Systems
Elections
Department Services Administration
Regulatory
4
5
Customer Service (Records

Maintenance/Info Center, Great
Seal, UCC)

Confidential
(FY13, FY14, FY15)
IT Related
OAG

Process
Engagements
OIAS
$225,256,700
0
40
Draft
Department of Attorney General

(AG)
On October 19, 2015, Connie MacKenzie of OIAS emailed AG audit
liaison James Selleck to confirm their earlier phone discussion regarding
the risk assessment/heat map and outcome analysis presented below.
Frequent
HIGH
Likelihood
Likely
MEDIUM Possible
Unlikely
LOW
1
2
Rare
Incidental
Minor
LOW
Moderate
Major
MEDIUM
Extreme
HIGH
Impact

#
1
2
Components
(FY13, FY14, FY15)
Program Size
Legal and Investigative Services
Financial, budget, and IT
Operations
IT Related
OAG
OAG Work in
Process
OIAS


Confidential
$92,107,600
41
Draft
OIAS Planned
Engagements
APPENDIX B AGENCY FISCAL YEAR 2016 APPROPRATIONS VS. BUDGETED AUDIT

HOURS
Agency Name
1 Agriculture & Rural Development
2 Attorney General
3 Civil Rights
4 Civil Service
5 Corrections
6 Education
7 Environmental Quality
8 Health & Human Services
9 Insurance and Financial Services
10 Licensing and Regulatory Affairs
11 Military and Veterans Affairs
12 Natural Resources
13 Secretary of State
14 State Police
15 Technology, Management and Budget
16 Talent and Economic Development
17 Treasury
Total In-scope
Appropriations All
% of In- Estimated % Hours of
Funds FY 16
% of Total Scope Audit Hours Budget
$
86,594,000
92,107,600
16,128,700
67,894,100
1,962,226,000
14,202,205,500
486,909,300
25,069,637,100
65,057,700
407,649,000
166,953,700
404,001,200
225,256,700
620,837,400
1,195,329,600
1,153,023,500
1,945,052,200
48,166,863,300
0.16%
0.17%
0.03%
0.12%
3.60%
26.04%
0.89%
45.97%
0.12%
0.75%
0.31%
0.74%
0.41%
1.14%
2.19%
2.11%
3.57%
88.33%
0.18%
0.19%
0.03%
0.14%
4.07%
29.49%
1.01%
52.05%
0.14%
0.85%
0.35%
0.84%
0.47%
1.29%
2.48%
2.39%
4.04%
100.00%
Total Audit Plan - Budgeted Hours
400
300
2,750
2,000
800
6,040
2,500
500
700
400
350
4,700
2,700
3,150
27,290
1.47%
0.00%
0.00%
1.10%
10.08%
7.33%
2.93%
22.13%
0.00%
9.16%
1.83%
2.57%
1.47%
1.28%
17.22%
9.89%
11.54%
100.00%
27,290 *
Remaining Appropriations Out-of-Scope

Agency Name
18 Executive Office
19 Community Colleges
20 State Universities/Financial Aid
21 Judiciary
22 Legislature
23 Transportation
24 Budget Stabilization Fund
Total Out-of-Scope
Agency Name
Total Appropriations
Appropriations All
% Out-of- Estimated % Hours of
Funds FY 16
% of Total Scope Audit Hours Budget
$
5,531,100
387,825,600
1,534,724,400
284,851,400
159,304,800
3,896,201,400
95,000,000
6,363,438,700
0.01%
0.71%
2.81%
0.52%
0.29%
7.15%
0.17%
11.67%
0.1%
6.1%
24.1%
4.5%
2.5%
61.2%
1.5%
100.00%
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Appropriations All
% of Total
Funds FY 16
$
54,530,302,000
100.00%
* Total audit plan hours of 27,290 is part of total engagement and oversight activities hours of 38,556 on page 5.
Confidential
42
Draft
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
APPENDIX C LISTING OF OAG MATERIAL WEAKNESSES AS OF SEPTEMBER 30, 2015

Department
Audit
Report
Date
DTMB
03/27/15
DTMB
N-New
R-Repeat
OIAS Assessed
Level of Risk
Formal Training Program could - DTMB did not establish a formal training program or take other steps to
Improve DBA's Database
ensure that all DBAs managing the State's Oracle databases receive sufficient
Management
training.
High Risk
01/22/15
Security Configuration
Enforcement
- DTMB did not enforce security configuration profiles within the State's MDM
System.
High Risk
DTMB
08/19/14
Interface Controls
- DTMB, in conjunction with State agencies, had not fully established effective
interface controls over the Enterprise Data Warehouse.
High Risk
DTMB
06/30/15
Statewide Single Audit
- The OAG has noted 23 material weaknesses in the Statewide Single Audit.
These weaknesses are managed jointly with OFM and the Departments. OAG
will be following up on these as part of the next Statewide Single Audit.
Both
High Risk
DTMB
09/08/15
Procurement Card Program
- DTMB did not ensure that departments provide timely responses to DTMB's
quarterly procurement card compliance and transaction reports.
Medium Risk
DTMB
12/11/14
Segregation of Duties
- Surplus did not maintain sufficient segregation of duties over the collection and
recording of revenue.
Low Risk
DTMB
03/27/15
More Comprehensive Security

Configurations Vital to Protect
Databases
- DTMB did not fully establish and implement effective security configurations
for the State's Oracle databases.
Low Risk
DTMB
12/11/14
Lack of Documentation for

Disposition of Surplus Items
- State Surplus did not maintain sufficient records to accurately account for the
disposition of surplus items received from State agencies.
Low Risk
DTMB
01/25/13
Access to DHS's Computer

Networks
- OCO in conjunction with DHS, did not obtain access to DHS's computer
networks relating to children's protective services, foster care, adoption services,
and the juvenile justice system.
Low Risk
Finding Title
Recommendation\Condition
DTMB Total Material Weaknesses: 31

Treasury
03/07/14
Treasury
07/20/15
Treasury
07/20/15
Treasury
07/20/15
Treasury
07/20/15
Treasury
12/03/14
01/20/12
DTED
Write-Off of Uncollectible
Delinquent Tax Assessments in
STAR
Collections - System
programming should be
improved to accurately identify
delinquent SUW assessment
balances
Collections - Comprehensive
security are vital to protecting
the MARCS application and
database
Collections - More timely
pursuit of delinquent debts is
necessary
Collections - Improved UBP
management and oversight is
needed to identify businesses
owing taxes
- Treasury did not accurately and completely write off uncollectible delinquent
tax assessments in STAR.
High Risk
- Treasury did not ensure that the automated system for managing SUW tax
returns and payment information is programmed to accurately identify delinquent
assessment balances.
High Risk
- Treasury did not fully establish and implement effective security configurations
for the MARCS application and database.
High Risk
- Treasury did not timely pursue delinquent debts.
Medium Risk
- Treasury did not provide sufficient program management and oversight of the
UBP to ensure the identification and registration of businesses owing delinquent
taxes.
Medium Risk
Use of Restricted Funds
- Treasury did not properly charge expenditures to the Principal Residence

Exemption Fund.
Medium Risk
Collection Efforts for

Delinquent SUTA Taxes
- UIA's CU and TEU initiate sufficient and timely efforts to collect delinquent
SUTA taxes from contributing employers.
High Risk
- CU determine if delinquent contributing employers own real property before

CU files real property liens against the employers.
- CU establish controls to verify that county register of deeds offices promptly
record UIA's liens and lien discharges.
- CU documents the lien recording and discharge information in UIA's records.
High Risk
High Risk
High Risk
DTED
01/20/12
UIA - Real Property Liens
DTED
01/20/12
UIA - Use of Information
DTED
01/20/12
Confidential
Treasury Total Material Weaknesses: 6
- UIA use available data and data analysis resources to proactively identify and
investigate employers potentially involved in : SUTA dumping, misclassifying
some or all of their employees as independent contractors, in bankruptcy, or not
registering with UIA.
- UIA's Tax Office timely initiate actions affecting contributing employers'
SUTA tax accounts.
UIA - SUTA Tax Account Actio
- UIA's Tax Office ensure that UIA's master employer files contain up-to-date
information.
43
Draft
APPENDIX C Continued
DTED
03/22/11
UIA - Classification of
Claimants' Misrepresentations
DTED
03/22/11
UIA Claimant Wage and UI

Benefit Payment Cross Match
Process
DTED
01/23/13
DTED
01/23/13
DTED
03/26/15
MEDC - Overall Compliance

Monitoring Process
MEDC - Renaissance Zone
Program Evaluation
MSF - Controls Over Financial
Reporting
- UIA improve controls to help ensure that it correctly classifies claimants'

intentional misrepresentations or concealment of material facts as fraud.
- BPC establish effective controls to ensure that claimant wage and UI benefit
payment cross match process consistently detects overpayments to claimants.
- BPC recover overpayments and associated penalties related to claimants who
received UI benefits for which they were ineligible.
- MEDC adequately monitor Renaissance Zones' compliance with the
requirement of their development agreements.
- MEDC establish a comprehensive process to evaluate the effectiveness of the
Renaissance Zone Program.
- MSF improve its internal control to ensure that it properly records and reports
MSF financial activity in accordance with GAAP.
High Risk
High Risk
Low Risk
Low Risk
Low Risk
DTED Total Material Weaknesses: 9
LARA
02/20/15
LARA
02/20/15
Completeness of Investigations
Monitoring of HPRP
Contractor
Completeness and Accuracy of
MAPS Data
LARA
02/20/15
LARA
04/10/14
Bureau of Fire Services - Place

of Public Assemblage
LARA
03/13/14
Licensing of Substance Abuse

Treatment Programs
(Two parts)
LARA
05/19/15
Improved reporting of
allegations to APS needed.
LARA
05/19/15
Improved inspection
documentation needed.
LARA
04/10/14
Bureau of Fire Services - Tank

Inspections
LARA
11/27/12
MCB - Equipment Inventory
LARA
11/27/12
LARA
02/22/13
Operators' Monthly Reports

Barbershop and Cosmetology
Shop Inspections
LARA
04/10/14
LARA
04/10/14
LARA
04/10/14
LARA
04/10/14
LARA
06/25/14
- HPID consistently conduct complete investigations of Public Health Code

violations filed against health professionals.
- HPID effectively monitor the HPRP contractor's performance.
- HPID develop additional processes to ensure that it has complete/accurate

data in MAPS for all required controlled substances dispensed.
- Fire Services Bureau ensure that places of public assemblage obtain certification
of maximum capacity and compliance with the Fire Prevention Code prior to
establishment or operation.
- Fire Services Bureau ensure that places of public assemblage receive annual
safety inspections or seek amendatory legislation regarding the inspection of
places of public assemblage.
- HFD conduct statutorily required State inspections of substance abuse
treatment programs prior to renewing their licenses.
- HFD ensure that its data systems contain accurate information for substance
abuse treatment programs.
- LARA notify APS of complaints alleging abuse, neglect, and or/exploitation of
facility and/or home residents to help DHHS ensure that it takes the appropriate
actions.
- LARA sufficiently document on-site licensing inspection review procedures
and conclusions to assist DHHS with ensuring proper oversight of facility and
home licenses.
- LARA conduct timely storage tank inspections and reinspections.
- LARA maintain sufficient documentation supporting its completion
inspections.
- LARA attempt to obtain missing facility owner contact information.
- MCB properly account for all equipment items at BEP vending facilities
located throughout the State.
- MCB effectively validate BEP operators' monthly VFRs.
- BCS perform all required inspections for barbershops and cosmetology shops
or request amendatory legislation.
Bureau of Fire Services - Efforts - Bureau of Fire Services establish a comprehensive process to assess the
to Evaluate Effectiveness
effectiveness of its Fire Service operations.
- Bureau of Fire Services monitor State-funded Fire training activities.
Bureau of Fire Services - And obtain and review course examinations prior to recording passing grades
Monitoring of Training Activities
on student examinations.
Bureau of Fire Services - Bureau of Fire Services fulfill all statutory reporting requirements.
Statutorily Required Reporting
- Bureau of Fire Services improve its efforts to preclude conflicts of interest
Bureau of Fire Services among FFTC members, training instructors, training coordinators, county
Training Conflicts of Interest
training committee chairpersons, and regional supervisors involved in the
firefighter training process.
- MPSC establish a comprehensive process to evaluate and improve the
Performance Monitoring
effectiveness of its operations.
High Risk
High Risk
High Risk
High Risk
High Risk
Medium Risk
Medium Risk
Medium Risk
Medium Risk
Medium Risk
Low Risk
Low Risk
Low Risk
Low Risk
Low Risk
Low Risk
LARA Total Material Weaknesses: 16
MDARD
05/30/13
MDARD
05/30/13
- FDD conduct routine and follow-up inspections of food establishments in

accordance with the Michigan Food Law of 2000.
Food Establishment Inspections
- FDD maintain inspection records for temporary food establishments in
accordance with MDARD's records retention and disposal schedule.
- FDD conduct routine inspections and schedule reinspections of dairy facilities,
trucks, and haulers and samplers according to law or guidelines.
Dairy Inspections
- FDD retain documentation of its approval of remodeling or equipment
charges for dairy processing plants.
High Risk
High Risk
MDARD Total Material Weaknesses: 2
Confidential
44
Draft
- DHHS Medicaid Home Help - timely obtain sufficient documentation to
Provider Service Log or Invoice
ensure providers have delivered the services paid for through a preauthorized
Documentation
payment process.
- DHHS and DTMB fully establish effective processing controls over Bridges
Interface Processing Controls
interfaces.
Adult Protective Services -Client
- APS caseworkers consistently complete APS client service plans as required.
Service Plans
DHHS
06/17/14
DHHS
05/31/13
DHHS
07/09/14
DHHS
07/09/14
Adult Protective Services - Fully develop and implement a process to evaluate the effectiveness of APS
Evaluation of APS Effectiveness intervention services.
DHHS
07/09/14
Adult Protective Services Review of Closed Investigation

Cases
DHHS
07/09/14
DHHS
07/09/14
DHHS
07/09/14
DHHS
01/22/14
DHHS
06/17/14
DHHS
05/31/13
DHHS
05/31/13
DHHS
01/29/14
DHHS
07/31/13
DHHS
08/08/14
DHHS
08/08/14
- APS supervisors consistently review closed APS investigation cases, as required.

- Ensure that APS supervisors conduct reviews of closed APS investigation cases
that effectively detect unaddressed allegations, incomplete APS client service
plans, and missed monthly face-to-face contacts with APS clients.
Adult Protective Services Monthly Face-to-Face Contacts

Adult Protective Services Investigation of Allegations
Adult Protective Services Investigation Standards of
Promptness
- APS caseworkers conduct monthly face-to-face contacts with APS clients with
open APS investigations, as required.
- DHHS investigate all allegations identified in referrals assigned for an APS
investigation.
- DHHS county/district offices begin and conduct APS investigations in
accordance with standards of promptness established by the Michigan Compiled
Laws and DHHS policies.
- DCH, in conjunction with DTMB, fully establish effective security and access
File Share Server Security and
controls over the file share servers that contain the State's electronic birth and
Access Controls
death records.
- DHS and DHC timely obtain sufficient documentation to ensure that
ASW Contacts With Clients and
Medicaid Home Help program providers have delivered the services paid for
Providers
through a preauthorized payment process.
- DTMB, in conjunction with DHS, comply with SUITE, contract provisions,
Bridges Change Controls
and change control best practices.
ClearCase and ClearQuest
- DTMB establish effective access controls over the Bridges version controls
Access
tool, ClearCase, and the Bridges workflow tool, ClearQuest.
- Center for Forensic Psychiatry ensure that its staff more effectively observe
Patient Observation
patients.
- HILS attempt to recover and timely recover Medicaid pharmaceutical costs
Recovery of Medicaid Costs
that are the potential liability of Medicare.
- ORR initiate investigations immediately upon receipt of complaints involving
Timeliness of Complaint
alleged abuse or neglect.
Resolution
- ORR timely complete interventions and investigations.
- ORR perform preliminary reviews of all patient deaths that State psychiatric
hospitals report to ORR.
Review of Recipient Deaths
- ORR maintain sufficient documentation to support that ORR performed
preliminary reviews of all patient deaths.
High Risk
High Risk
High Risk
High Risk
High Risk
High Risk
High Risk
High Risk
Medium Risk
Medium Risk
Medium Risk
Medium Risk
Low Risk
Low Risk
Low Risk
Low Risk
DHHS Total Material Weaknesses: 16

MSP
06/25/14
Intrastate Authority Registration
MSP
06/06/14
Unobligated Funds
- MPSC should timely process motor carriers' applications to operate in

Michigan.
- MPSC should seek amendatory legislation to incorporate available
technological practices.
- MCOLES should implement a control to ensure that it identifies all
unobligated MJTF funds eligible for competitive grant awards on an annual
basis.
Low Risk
Low Risk
MSP Total Material Weaknesses: 2
DMVA
04/30/13
DMVA
04/30/13
DMVA
05/14/15
DMVA
05/14/15
DMVA
12/20/13
DMVA
12/20/13
DMVA
05/14/15
Confidential
Controls Over Food,

- GRHV should implement controls over its food, maintenance supplies, and
Maintenance Supplies, and
medical supplies inventories.
Medical Supplies
Controls Over Pharmaceutical
- GRHV should fully establish controls over its pharmaceutical inventory.
Inventory
Lack of required training for
- MYCA should provide the required training to its staff.
MYCA staff.
Safeguarding and accounting for - MYCA should safeguard and properly account for cash received from cadets'
cash received needed.
families and various fund-raising activities.
- MVAA should issue performance standards to each VSO that receives State
VSA Performance Standards
grant funds.
Monitoring of VSA
- MVAA should effectively monitor the performance of the VSOs that receive
Performance
State grant funds.
- MYCA should comply with the cooperative agreement by providing proper
MYCA not effectively staffed.
staffing levels and effectively overseeing staff.
45
Medium Risk
Medium Risk
Low Risk
Low Risk
Low Risk
Low Risk
Low Risk
Draft
DMVA
05/14/15
Comprehensive evaluation of
program effectiveness needed.
- MYCA should establish a comprehensive process to monitor and evaluate the

effectiveness of its operations.
Low Risk
DMVA Total Material Weaknesses: 8

CCDF - Central Registry
Records Check Processes
MDE
07/17/13
MDE
07/17/13
MDE
07/17/13
MDE
07/17/13
MDE
07/17/13
MDE
03/14/14
MDE
03/14/14
Database Security
MDE
03/14/14
Security Program and Access

Controls
MDE
11/15/13
MDE
11/15/13
DOS
01/16/15
- MDE conduct periodic tests of its Central Registry records check processes to
ensure effectively identify individuals with substantiated histories as perpetrators
of child abuse and/or neglect and prevent from providing child care services.
- MDE include inactive unlicensed child care providers in its Central Registry
records check processes.
- MDE ensure that the terminable crimes and codes list is complete and includes
CCDF - Terminable Crimes and
the crime description and conviction coding information necessary to identify
Codes List
unsuitable unlicensed providers.
CCDF - Criminal History
- MDE strengthen its ICHAT records check process
Checks at Enrollment
- MDE ensure that its monthly ICHAT records check process works effectively
CCDF - Monthly Criminal
to detect active unlicensed providers with terminable convictions in ICHAT
History Checks
records.
- MDE and BCAL implement controls to ensure that criminal background and
Central Registry check processes effectively identify and terminate unlicensed
CCDF - Suitability of Adult
providers and family and group home providers with adult household members
Household Members of
that have criminal convictions of terminable crimes or were substantiated as
Unlicensed Providers and Family
perpetrators of child abuse and/or neglect.
and Group Child Care Home
- MDE utilize internal and publicly available information to help identify
Provider
unreported adult household members of unlicensed providers who care for
children in their own homes.
- MDE and DTMB continue to develop a comprehensive change control
Change Control Process
process for MEGS+ and FNS-FRS.
- DTMB and MDE monitor privileged user activity and automated audit logs
of high-risk events for the SAMS, MEGS+, CMS, and FNS-FRS databases.
- MDE and DTMB continue to fully establish a comprehensive information

systems security program and effective access controls over MDE information
systems.
- MDE implement measures to ensure that ISDs develop and review IFSPs for
Early On - IFSP Development
children and their families qualifying for Early On-only services in accordance
and Review
with federal regulations.
- MDE implement measures to ensure that ISDs comply with federal
Early On - EI Services Available
regulations by providing Early On-only children access to a comprehensive
for Delivery
selection of EI services delivered by qualified personnel.
Motor Vehicle - GVW
Registration Fees
High Risk
High Risk
High Risk
High Risk
High Risk
Low Risk
Low Risk
Low Risk
Low Risk
Low Risk
MDE Total Material Weaknesses: 10

- DOS did not always accurately prorate GVW registration fees.
High Risk
DOS Total Material Weaknesses: 1
MDOT
02/16/15
MDOT
02/20/15
MDOT
06/06/14
MDOT
02/02/15
MDOT
02/02/15
Lease and Refurbishment of

- The OAG recommended that the Office of Rail effectively and efficiently
Commuter Rail Cab and Coach oversee the lease and refurbishment of cab and coach cars designated for two
Cars
commuter rail projects.
- The OAG recommended that MDOT ensure that staff inspect or timely
inspect warrantied road and bridge construction projects.
Monitoring of Road and Bridge
- The OAG also recommended that MDOT maintain documentation to
Warranties
support initial acceptance of warrantied projects, interim and final inspections,
and notifications to the contractor that the warranty period was complete.
- The OAG recommended that OED comprehensively assess the effectiveness
Program Outcome Assessments
of all programs funded by TEDF and federal grants.
Statewide Warranty
- The OAG recommended that MDOT ensure the completeness and accuracy
Administration Database
of the information recorded in SWAD.
(SWAD)
- The OAG recommended that MDOT ensure that contractors complete
Timeliness of Corrective Action
corrective action and complete it timely for warrantied projects identified as
Completion
needing repairs.
N/A
N/A
N/A
N/A
N/A
* MDOT Total Material Weaknesses: 5
Overall Total Material Weaknesses: 106
*MDOTs internal audit is statutorily separate from OIAS.

Confidential
46
Draft

Michigan Statewide Risk Assessment

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Michigan Statewide Risk Assessment

Uploaded by

Copyright:

Available Formats

Office of Internal Audit Services

2016 Risk Assessment and Plan of Engagements

2016 Risk Assessment and Plan of Engagements

2016 Risk Assessment and Plan of Engagements

2016 Fiscal Year Appropriation for OIAS

2016 Risk Assessment and Plan of Engagements

2016 Internal Audit Budgeted Hours by Activity

30,876 Infrastructure and Process Improvements

900 Quarterly Reporting to Risk Committee

Departmental Support/Partnership Activities

Earned Leave / State Holidays

Statutory Reporting Responsibilities

CAFR/Financial Reporting Responsibilities

Total Hours Available for Plan

Total Engagement and Oversight Activities

2016 Risk Assessment and Plan of Engagements

Mission, Vision, and Core Principles of OIAS

Definition of Internal Auditing

2016 Risk Assessment and Plan of Engagements

2016 Risk Assessment and Plan of Engagements

2016 Risk Assessment and Plan of Engagements

2016 Risk Assessment and Plan of Engagements

Governance and Risk Management Approach

Enterprise Risk and Control Committee

Enterprise Risk and Control Committee Members

2016 Risk Assessment and Plan of Engagements

Lines of Defense Model

2016 Risk Assessment and Plan of Engagements

Plan of Engagements Methodology

Focusing on Risks and Associated Mitigating Actions Is Fundamental in the

2016 Risk Assessment and Plan of Engagements

Preparing for the Risk Assessment and Plan of Engagements

Consideration of Information Technology Processes

2016 Risk Assessment and Plan of Engagements

Office of the Auditor General Collaboration

2016 Risk Assessment and Plan of Engagements

Office of Good Government Collaboration

OAG Material Weaknesses Evaluation

2016 Risk Assessment and Plan of Engagements

Look Back Analysis / Project Carryforward

Project Selection and Prioritization Process

2016 Risk Assessment and Plan of Engagements

The impact of the auditable activity in relation to the

Measure of program area's overall attitude toward

Measure of existing material weaknesses or engagements

Measure of the exposure or loss related to the amount of

2016 Risk Assessment and Plan of Engagements

Description of Engagement Scope

Value for Money Government and Treasury

Accounts Receivable material weakness.

Process review in coordination with LEAN

Performance process review.

OAG audit of Principle Residence Exemption

Critical Assessable Unit (CAU)

Essential Services Assessment process review.

Review application controls.

Monitoring and CQI Process Review.

Office of Support Services

Office of Retirement Services

Assist in contract oversight with VTS contracts,

2016 Risk Assessment and Plan of Engagements

Enterprise data warehouse material findings.

Propose enhancements to SUITE for the

IT Mgmt., IT tech infrastructure, IT