Auditor General releases findings and management comments from audit of state’s Fiscal 2016 financial statements
STATE HOUSE – The State lacks a strategic plan to (1) coordinate needed replacements/enhancements to its key statewide financial systems and (2) ensure that critical legacy financial systems, such as the payroll system, which pose a business continuity risk, will be available to support State operations. Because the State has opted to utilize various independent software solutions, the plan is critically important. Without a comprehensive plan, there is substantial risk that the intended integration of various components may not be achieved.
These findings and management comments related to the State’s internal control over financial reporting are included in a report issued by Auditor General Dennis E. Hoyle and released today by the Joint Committee on Legislative Services. The findings result from the Auditor General’s annual audit of the State’s financial statements for the year ended June 30, 2016. The State’s Comprehensive Annual Financial Report, which includes the State’s financial statements and the Auditor General’s report thereon, was made available in December 2016. (Click here to read the audit report and here to read a summary.)
The State can enhance its communication and implementation of a statewide approach to design, document, and monitor its internal control policies and procedures following the principles contained in the revised internal control framework. The State’s system of internal controls is intended to safeguard public resources and support accurate financial reporting.
The auditors reported that net recoverable gain share amounts totaling $101 million from Medicaid managed care organizations (MCOs) were outstanding at June 30, 2016. Of this amount, gain share totaled $120 million for individuals covered under the Medicaid expansion provision. Only $36 million of $133 million (Medicaid expansion) that was outstanding at the close of the prior fiscal year was collected during fiscal 2016. An additional $22 million is owed to the State for the contract period ended June 30, 2016.
The auditors noted that the complexity of Medicaid program operations adds to the challenge of accurately accounting for all Medicaid program related financial activity within the State’s financial statements. The complexity of the Medicaid program continues to increase each year through federal Affordable Care Act (ACA) provisions and various State initiatives that have changed how services are delivered and providers are reimbursed. Medicaid is the State’s single largest program activity - representing nearly 25% of the annual budgeted outlays.
The auditors found that the State has not sufficiently addressed information technology (IT) security risks, an increasing concern given the State’s very complex computing environment. The State needs to ensure its IT security policies and procedures are current and well communicated. Assessments of compliance for all critical IT applications have not been performed - systems deemed to pose the most significant operational risk must be prioritized.
The auditors noted that the State did not perform tests of its disaster recovery plan during fiscal 2015 and 2016. This reduces the assurance that all mission critical systems can be restored should a disaster disable or suspend operations.
The State does not follow uniform enterprise-wide program change control procedures for the various IT applications operating within State government. This increases the risk that unauthorized or inappropriate changes could be made to IT applications without detection.
Implementation of a new Taxation IT system (STAARS) presented issues impacting financial reporting due to processing timeframes for personal income tax returns and other returns held in suspense. This affected accruals based on historical processing timelines and complicated financial reporting estimates due to the uncertain effect of returns that had not fully processed at June 30, 2016.
Electronic data received by Taxation should remain encrypted and then be uploaded to Taxation’s systems through automated processes without manual intervention. The auditors reported that current procedures create rather than restrict opportunities for data manipulation.
Historical data used to support significant financial reporting estimates for tax revenues should be reassessed periodically to ensure continued validity – this is particularly important with more current data emanating from the new STAARS system.
Critical Division of Taxation back-up data files are not stored off-site – a recommended disaster recovery best practice. STAARS system user access rights need to be assessed and tailored to ensure access is consistent and appropriate with each employee’s responsibilities.
The Department of Transportation’s use of multiple systems to meet its operational and financial reporting objectives results in unnecessary complexity and control weaknesses since these systems were never designed to share data.
The State’s Office of Management and Budget (OMB) has not fully addressed all the required functionalities outlined in the General Laws regarding oversight of federal grants within the State.
Certain duties performed by the Office of the General Treasurer are not adequately segregated resulting in control deficiencies. Statewide accounting controls over receivables can be enhanced.
The auditor general’s report also includes 11 management comments, which are less significant findings that highlight financial-related operational, policy or accounting control matters.
Management’s response to the findings and management comments and planned corrective actions are included in the report.
For more information, contact:
Dennis E. Hoyle, CPA, Auditor General
Office of the Auditor General
Providence, RI 02903
401.222.2435 ext. 3038