In October 2022, the Department of Accounts (DOA), with the assistance of a third-party, conducted a risk assessment of executive branch agency internal controls for federal funds. The risk assessment relied upon existing data and documentation and was limited in scope to the Coronavirus Relief Funds (CRF) from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), and the State and Local Fiscal Recovery Funds (SLFRF) from the American Rescue Plan Act (ARPA).(*1) While there are additional federal regulations for other pandemic funding that are not applicable to the CFR and SLFRF, this risk assessment does not address all federal compliance requirements.

Through this high-level review, the assessment concluded that executive branch agencies have adequate internal control over federal funds. However, a lack of portfolio-level oversight and centralized data systems leads to inherent challenges of managing and tracking the funds at a Commonwealth-wide level. The current decentralized system makes a review of agency-level controls difficult due to the lack of real-time visibility into agency activities.

Specific potential gaps in the Commonwealth’s current state of internal control over federal funds are:

• Lack of real-time visibility into agency internal control activities for federal funds which can lead to reactive responses to issues versus proactive prevention;

• Reliance on self-assessments is inherently less reliable than independent, verified reviews of agencies’ risk management activities and give less insight into agency internal control activities;

• Reliance on manual, self-reported data can lead to reported results that are less reliable than verified data and reporting discrepancies can invite additional scrutiny;

• Subrecipient monitoring activities are conducted and validated inconsistently by agency management, and an opportunity exists to more explicitly prompt agencies to review these policies;

• Third-party provider monitoring activities are conducted and validated inconsistently by agency management and can lead to improper distributions of funds;

• Lack of knowledge transfer and cross-training can impact agency-level control over funds and can impact accuracy and timeliness of reporting; and

• Information technology (IT) related control activities are conducted and validated inconsistently by agency management and can lead to breaches of sensitive information.(*2)

The remainder of this report details the analysis performed as part of this risk assessment.
_________________________________________________
(*1) The CRF and SLFRF were appropriated among agencies via Item 479.10, Chapter 56, 2020 Acts of Assembly Special Session I, Item 479.20, Chapter 1, 2022 Acts of Assembly Special Session I, and Item 486, Chapter 2, 2022 Acts of Assembly Special Session I.
(*2) IT controls are relevant for federally funded projects where agencies are upgrading or implementing new systems or when they are collecting sensitive data.