REPORT ON INTERNAL CONTROL, COMPLIANCE, AND OTHER MATTERS MICHIGAN ECONOMIC DEVELOPMENT CORPORATION

Similar documents
To the Members of the Board of Education The Winnetka Public Schools District No. 36 Winnetka, Illinois

Floyd County, Georgia Report Of Independent Certified Public Accountants In Accordance With Government Auditing Standards

City of Moses Lake Grant County

Jefferson County Public Transportation Benefit Area (Jefferson Transit Authority)

Tacoma Community College

Snohomish Health District Snohomish County

REGIONAL TRANSPORTATION COMMISSION OF SOUTHERN NEVADA. SINGLE AUDIT Year ended June 30, 2018

EDCOUCH-ELSA INDEPENDENT SCHOOL DISTRICT Annual Financial Report For the Fiscal Year Ended August 31, 2016 TABLE OF CONTENTS PAGE INTRODUCTORY SECTION

Report on Internal Control Over Statewide Financial Reporting. Year Ended June 30, 2011

Washington State University

The Honorable Members of the City Council City of Richmond, Virginia

Edmonds Community College

BAYVIEW WATER AND SEWER DISTRICT

TAZEWELL COUNTY, ILLINOIS CIRCUIT CLERK AGENCY FUND FINANCIAL STATEMENT AND SUPPLEMENTARY INFORMATION YEAR ENDED NOVEMBER 30, 2017

INDEPENDENT AUDITOR S REPORT

ANNUAL FINANCIAL REPORT OF THE MICHIGAN STRATEGIC FUND

Housing Finance Authority of Pinellas County (A Component Unit of Pinellas County, Florida)

CITY OF HEALDSBURG Single Audit Report on Federal Award Programs

Cowlitz County. Financial Statements and Federal Single Audit Report. For the period January 1, 2017 through December 31, 2017

The Honorable Members of the City Council City of Richmond, Virginia

GENTILLY SENIOR CENTER, INC. FINANCIAL STATEMENTS AND AUDITOR'S REPORT

FINANCIAL STATEMENTS AND INDEPENDENT AUDITOR'S REPORT

Town of Colonie Local Development Corporation

Appendix Illustrative Auditor s Reports for Program-Specific Audits

Dear Mr. Smith, Beacon Academy of Nevada Jobs for Nevada s Graduates Community Outreach Medical Center East Valley Family Services

LANSING CHARTER ACADEMY

NANTUCKET REGIONAL TRANSIT AUTHORITY (a component Unit of the Massachusetts Department of Transportation)

REPORT OF THE AUDIT OF THE WHITLEY COUNTY CLERK

Arkansas Health Insurance Marketplace

PHILADELPHIA GAS WORKS OPEB TRUST. Financial Statements. December 31, 2015 and (With Independent Auditors Report Thereon)

TOWN OF CAPE ELIZABETH, MAINE. Reports Required by Government Auditing Standards. For the Year Ended June 30, 2017

RENTON TECHNICAL COLLEGE

City of Albertville Wright County, Minnesota Reports on Compliance with Government Auditing Standards and Minnesota Legal Compliance

AUDITOR GENERAL STATE OF FLORIDA G74 Claude Pepper Building 111 West Madison Street Tallahassee, Florida

STATE OF MINNESOTA Office of the State Auditor

ORANGE COUNTY EDUCATIONAL FACILITIES AUTHORITY (A COMPONENT UNIT OF ORANGE COUNTY, FLORIDA)

Pacific Mountain Workforce Development Council

Spokane Airport Board

DEPARTMENT OF ENERGY Small Scale Energy Loan Program

March 4, 2015 To the Board Members of the Housing Finance Authority of Pinellas County and Kathryn Driver, Executive Director We are pleased to

REPORT OF THE AUDIT OF THE WHITLEY COUNTY CLERK

Port of Port Angeles. Financial Statements and Federal Single Audit Report. Clallam County. For the period January 1, 2013 through December 31, 2013

FINANCIAL STATEMENTS AND INDEPENDENT AUDITORS' REPORT HERNANDO COUNTY EDUCATION DIRECT SUPPORT ORGANIZATION, INC. BROOKSVILLE, FLORIDA JUNE 30, 2014

HILLSBOROUGH COUNTY INDUSTRIAL DEVELOPMENT AUTHORITY. Financial Statements and Supplementary Information Year Ended September 30, 2018

NANTUCKET REGIONAL TRANSIT AUTHORITY (a component Unit of the Massachusetts Department of Transportation)

estem Public Charter School

Appendix Illustrative Auditor s Reports Under Government Auditing Standards

SOUTHWEST TRANSIT Eden Prairie, Minnesota

Internal Controls Over Statewide Financial Reporting

Left Hand Water District. Federal Awards Report in Accordance with the Single Audit Act and OMB Circular A-133 December 31, 2014

SOUTHOLD LOCAL DEVELOPMENT CORPORATION FINANCIAL STATEMENTS DECEMBER 31, 2016 (WITH INDEPENDENT AUDITORS REPORT THEREON)

San Jacinto River Authority

Public Employees Retirement Association. Financial Statement Report Year Ended June 30, 2008

STATE OF MINNESOTA Office of the State Auditor

Incorporated Village of Greenport, New York

FINANCIAL STATEMENTS AND INDEPENDENT AUDITORS REPORT FLORIDA COURTS E-FILING AUTHORITY TALLAHASSEE, FLORIDA JUNE 30, 2018

CAPE COD REGIONAL TRANSIT AUTHORITY (a component Unit of the Massachusetts Department of Transportation)

REPORT OF THE AUDIT OF THE WHITLEY COUNTY SHERIFF

FINN ACADEMY: AN ELMIRA CHARTER SCHOOL FINANCIAL STATEMENTS JUNE 30, 2016

Compliance and Internal Control. Department of Chamorro Affairs Non-Appropriated Funds (A Component Unit of the Government of Guam)

The following document was not prepared by the Office of the State Auditor, but was prepared by and submitted to the Office of the State Auditor by a

Albany County Land Bank Corporation (A Blended Component Unit of the County of Albany, New York)

FIVE S.T.A.R. VETERANS CENTER, INC. FINANCIAL STATEMENTS. December 31, with INDEPENDENT AUDITORS' REPORT

Independent Auditors Report

Part II Reports on Internal Control and Compliance

BUTLER COUNTY FAMILY AND CHILDREN FIRST COUNCIL BUTLER COUNTY REGULAR AUDIT

Spokane Airport Board

Year Ended June 30, Single Audit Act Compliance

BEDFORD PUBLIC SCHOOLS Temperance, Michigan ANNUAL FINANCIAL REPORT. June 30, 2015

Part II. Reports on Internal Control and Compliance

FIVE S.T.A.R. VETERANS CENTER, INC. FINANCIAL STATEMENTS. December 31, with INDEPENDENT AUDITORS' REPORT

CITY OF LAKE BUENA VISTA, FLORIDA ANNUAL FINANCIAL REPORT AND COMPLIANCE REPORTS

Appendix Illustrative Auditor's Reports Under Government Auditing Standards

Nueces River Authority. Schedule of Expenditures of Federal Awards For the Year Ended August 31, 2016

LAKE COUNTY, FLORIDA TAX COLLECTOR

COUNTY OF BUTTE TRANSPORTATION DEVELOPMENT ACT FUND. Audited Financial Statements and Compliance Report. June 30, 2013

City of San Mateo Transportation Development Act Fund

CITY OF IRVINE, CALIFORNIA AIR QUALITY IMPROVEMENT SPECIAL REVENUE FUND FINANCIAL STATEMENTS FOR THE YEAR ENDED JUNE 30, 2018

VICTOR LOCAL DEVELOPMENT CORPORATION, NEW YORK FINANCIAL STATEMENTS

BROWARD COUNTY, FLORIDA. REPORTS IN ACCORDANCE WITH GOVERNMENT AUDITING STANDARDS AND CHAPTER , RULES OF THE AUDITOR GENERAL September 30, 2016

SIGAR. Department of State s Afghanistan Justice Sector Support Program II: Audit of Costs Incurred by Pacific Architects and Engineers, Inc.

Berks Area Regional Transportation Authority. Single Audit Report June 30, 2015

Orange County Industrial Development Authority (a component unit of Orange County, Florida)

Northcentral Arkansas Education Service Cooperative. Regulatory Basis Financial Statements And Other Reports

Tax Collector Walton County, Florida

LUMPKIN COUNTY WATER AND SEWERAGE AUTHORITY (A Component Unit of Lumpkin County, Georgia) FINANCIAL REPORT DECEMBER 31, 2017

Appendix Illustrative Auditor's Reports Under Government Auditing Standards

COUNTY OF ONTARIO, NEW YORK New York State Department of Transportation Single Audit Report December 31, 2016

WILDLIFE FOUNDATION OF FLORIDA, INC. TALLAHASSEE, FLORIDA. FINANCIAL STATEMENTS AND SUPPLEMENTARY INFORMATION June 30, 2009 and 2008

CHAUTAUQUA, CATTARAUGUS, ALLEGANY & STEUBEN SOUTHERN TIER EXTENSION RAILROAD AUTHORITY REPORT ON FINANCIAL STATEMENTS DECEMBER 31, 2017

School District of Flagler County

LOS ANGELES COUNTY METROPOLITAN TRANSPORTATION AUTHORITY

GROVER CLEVELAND MASTERY CHARTER SCHOOL FINANCIAL STATEMENTS AND SUPPLEMENTARY INFORMATION

MID-MISSOURI REGIONAL PLANNING COMMISSION BASIC FINANCIAL STATEMENTS AND INDEPENDENT AUDITOR S REPORT JUNE 30, 2016

Floyd County, Georgia Report Of Independent Certified Public Accountants In Accordance With The Single Audit Act And Government Auditing Standards

MANATEE SCHOOL OF ARTS AND SCIENCES, INC. (A CHARTER SCHOOL AND COMPONENT UNIT OF THE SCHOOL BOARD OF MANATEE COUNTY) FINANCIAL STATEMENTS

STATE OF MINNESOTA Office of the State Auditor

Northwest Educational Service District No. 189

Greater New Haven Water Pollution Control Authority. Federal Compliance Report Fiscal Year Ended June 30, 2018

VILLAGE OF FAIRPORT LOCAL DEVELOPMENT CORPORATION NEW YORK FINANCIAL STATEMENTS. For Years Ended September 30, 2013 and 2012

Transcription:

MICHIGAN OFFICE OF THE AUDITOR GENERAL REPORT ON INTERNAL CONTROL, COMPLIANCE, AND OTHER MATTERS MICHIGAN ECONOMIC DEVELOPMENT CORPORATION (A Discretely Presented Component Unit of the State of Michigan) Fiscal Year Ended September 30, 2013 THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

The auditor general shall conduct post audits of financial transactions and accounts of the state and of all branches, departments, offices, boards, commissions, agencies, authorities and institutions of the state established by this constitution or by law, and performance post audits thereof. Article IV, Section 53 of the Michigan Constitution Audit report information can be accessed at: http://audgen.michigan.gov

Michigan Office of the Auditor General REPORT SUMMARY Report on Internal Control, Compliance, and Other Matters Michigan Economic Development Corporation (A Discretely Presented Component Unit of the State of Michigan) Fiscal Year Ended September 30, 2013 Report Number: Released: March 2014 Generally accepted government auditing standards require an auditor to report on internal control over financial reporting; compliance with provisions of laws, regulations, contracts, or grant agreements that have a material effect on the financial statements; and other matters coming to the attention of the auditor during the completion of a financial audit. This report is being issued in conjunction with our financial audit of the Michigan Economic Development Corporation (MEDC). Financial Statements: Auditor's Report Issued We have audited MEDC's basic financial statements as of and for the fiscal year ended September 30, 2013 and have issued a separate report thereon dated January 24, 2014. We issued an unmodified opinion on MEDC's basic financial statements. ~~~~~~~~~~ Internal Control Over Financial Reporting In planning and performing our audit of the basic financial statements, we considered MEDC's internal control over financial reporting (internal control) to determine the audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the basic financial statements, but not for the purpose of expressing an opinion on the effectiveness of MEDC's internal control. Accordingly, we do not express an opinion on the effectiveness of MEDC's internal control. Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies. Given these limitations, we did not identify any deficiencies in internal control that we consider to be material weaknesses; however, material weaknesses may exist that have not been identified. We did identify significant deficiencies (Findings 1 through 3). A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Investment Impairment Losses MEDC's internal control over financial reporting did not ensure that it properly recorded and reported investment

impairment losses in accordance with generally accepted accounting principles (Finding 1). Great Plains Access Controls MEDC had not established effective access controls over its Great Plains accounting system (Finding 2). Salesforce Access Controls MEDC had not established effective access controls over its Salesforce customer relationship management system (Finding 3). ~~~~~~~~~~ Noncompliance and Other Matters Material to the Financial Statements We did not identify any instances of noncompliance or other matters applicable to the basic financial statements that are required to be reported under Government Auditing Standards. ~~~~~~~~~~ Agency Response: This report contains 3 findings and 3 corresponding recommendations. MEDC's preliminary response indicates that it agrees with all of the recommendations. ~~~~~~~~~~ Background: Article VII, Section 28 of the Michigan Constitution and Act 7, P.A. 1967, provided for the creation of MEDC as a public body corporate. MEDC was created in April 1999 by a 10-year contract (interlocal agreement, as amended) between a participating local economic development corporation formed under Act 338, P.A. 1974, as amended, and the Michigan Strategic Fund. Article VI of the interlocal agreement provides for the automatic renewal of this initial 10-year term for two renewal periods of five years each. In April 2009, this interlocal agreement was automatically renewed for another five years. MEDC is a separate legal entity created to promote economic growth by developing strategies and providing services to create and retain good jobs and a high quality of life for Michigan residents. Under the terms of the agreement, the governance of MEDC resides in an Executive Committee of 20 members appointed to eight-year, staggered terms by the Governor. ~~~~~~~~~~ A copy of the full report can be obtained by calling 517.334.8050 or by visiting our Web site at: http://audgen.michigan.gov Michigan Office of the Auditor General 201 N. Washington Square Lansing, Michigan 48913 Thomas H. McTavish, C.P.A. Auditor General Scott M. Strong, C.P.A., C.I.A. Deputy Auditor General

STATE OF MICHIGAN OFFICE OF THE AUDITOR GENERAL 201 N. WASHINGTON SQUARE LANSING, MICHIGAN 48913 (517) 334-8050 THOMAS H. MCTAVISH, C.P.A. FAX (517) 334-8079 AUDITOR GENERAL March 27, 2014 Mr. Michael A. Finney, President and Chief Executive Officer and Mr. Doug Rothwell, Executive Committee Chair Michigan Economic Development Corporation 300 North Washington Square Lansing, Michigan Dear Mr. Finney and Mr. Rothwell: We have audited the basic financial statements of the Michigan Economic Development Corporation (MEDC), a discretely presented component unit of the State of Michigan, as of and for the fiscal year ended September 30, 2013 and have issued a separate report thereon dated January 24, 2014. In planning and performing our audit of the basic financial statements, we considered MEDC's internal control over financial reporting and compliance and other matters. This report on internal control, compliance, and other matters is being issued in conjunction with our financial audit of MEDC for the fiscal year ended September 30, 2013. This report contains our report summary; our independent auditor's report on internal control over financial reporting and on compliance and other matters; our findings, our recommendations, and the agency preliminary responses; and a glossary of abbreviations and terms. The agency preliminary responses were taken from the agency's response at the end of our audit fieldwork. The Michigan Compiled Laws and administrative procedures require that the audited agency develop a plan to comply with the audit recommendations and submit it within 60 days after release of the audit report to the Office of Internal Audit Services, State Budget Office. Within 30 days of receipt, the Office of Internal Audit Services is required to review the plan and either accept the plan as final or contact the agency to take additional steps to finalize the plan. We appreciate the courtesy and cooperation extended to us during this audit. Sincerely, Thomas H. McTavish, C.P.A. Auditor General

4

TABLE OF CONTENTS MICHIGAN ECONOMIC DEVELOPMENT CORPORATION INTRODUCTION Page Report Summary 1 Report Letter 3 INDEPENDENT AUDITOR'S REPORT ON INTERNAL CONTROL AND COMPLIANCE Independent Auditor's Report on Internal Control Over Financial Reporting and on Compliance and Other Matters 8 FINDINGS, RECOMMENDATIONS, AND AGENCY PRELIMINARY RESPONSES 1. Investment Impairment Losses 11 2. Great Plains Access Controls 12 3. Salesforce Access Controls 13 GLOSSARY Glossary of Abbreviations and Terms 17 5

6

INDEPENDENT AUDITOR'S REPORT ON INTERNAL CONTROL AND COMPLIANCE 7

STATE OF MICHIGAN OFFICE OF THE AUDITOR GENERAL 201 N. WASHINGTON SQUARE LANSING, MICHIGAN 48913 (517) 334-8050 THOMAS H. MCTAVISH, C.P.A. FAX (517) 334-8079 AUDITOR GENERAL Independent Auditor's Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Mr. Michael A. Finney, President and Chief Executive Officer and Mr. Doug Rothwell, Executive Committee Chair Michigan Economic Development Corporation 300 North Washington Square Lansing, Michigan Dear Mr. Finney and Mr. Rothwell: We have audited, in accordance with the auditing standards generally accepted in the United States of America and the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States, the basic financial statements of the Michigan Economic Development Corporation, a discretely presented component unit of the State of Michigan, as of and for the fiscal year ended September 30, 2013 and the related notes to the basic financial statements and have issued our report thereon dated January 24, 2014. Internal Control Over Financial Reporting In planning and performing our audit of the basic financial statements, we considered the Michigan Economic Development Corporation's internal control over financial reporting (internal control) to determine the audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the basic financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Michigan Economic Development Corporation's internal control. Accordingly, we do not express an opinion on the effectiveness of the Michigan Economic Development Corporation's internal control. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's basic financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. 8

Our consideration of internal control was for the limited purpose described in the first paragraph of this section and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies and, therefore, material weaknesses or significant deficiencies may exist that were not identified. Given these limitations, during our audit we did not identify any deficiencies in internal control that we consider to be material weaknesses. However, material weaknesses may exist that have not been identified. We did identify certain deficiencies in internal control, as described in Findings 1 through 3, that we consider to be significant deficiencies. Compliance and Other Matters As part of obtaining reasonable assurance about whether the Michigan Economic Development Corporation's basic financial statements are free from material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of financial statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed no instances of noncompliance or other matters that are required to be reported under Government Auditing Standards. Michigan Economic Development Corporation's Response to Findings The Michigan Economic Development Corporation's preliminary responses to the findings identified in our audit are included in the body of our report. The Michigan Economic Development Corporation's preliminary responses were not subjected to the auditing procedures applied in the audit of the basic financial statements and, accordingly, we express no opinion on them. Purpose of This Report The purpose of this report is solely to describe the scope of our testing of internal control and compliance and the results of that testing, and not to provide an opinion on the effectiveness of the entity's internal control or on compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards in considering the entity's internal control and compliance. Accordingly, this communication is not suitable for any other purpose. Sincerely, Thomas H. McTavish, C.P.A. Auditor General January 24, 2014 9

FINDINGS, RECOMMENDATIONS, AND AGENCY PRELIMINARY RESPONSES 10

FINDING 1. Investment Impairment Losses The Michigan Economic Development Corporation's (MEDC's) internal control* over financial reporting did not ensure that it properly recorded and reported investment impairment losses in accordance with generally accepted accounting principles* (GAAP). As a result, MEDC overstated its investments and net increase in fair value of investments by $2.2 million in its fiscal year 2012-13 financial statements. Section I50.121 of the Codification of Governmental Accounting and Financial Reporting Standards, published by the Governmental Accounting Standards Board* (GASB), provides that, when using the cost method to account for common stock investments, a decrease in value of the investment should be recognized when factors indicate that a nontemporary impairment loss has occurred, such as a series of operating losses of the investee. As of September 30, 2013, MEDC reported the value of its venture capital investments as $7.3 million. Our testing of MEDC's reported value of its venture capital investments disclosed: a. MEDC did not recognize an impairment loss for two investments totaling $1.3 million, although MEDC determined that its separate loans receivable from these two investees were uncollectible. b. MEDC did not recognize an impairment loss for one investment totaling $0.9 million, although MEDC was aware that the investee had sustained significant losses over the past five years. MEDC informed us that it did not adjust investment values for nontemporary impairment losses unless a significant event occurred, such as a bankruptcy filing or the closing of the investee's business. MEDC did not consider other factors that could cause an investment impairment loss, such as sustained operating losses of an investee or nonpayment of the investee's outstanding loans. * See glossary at end of report for definition. 11

RECOMMENDATION We recommend that MEDC implement internal control over financial reporting to ensure that it properly records and reports investment impairment losses in accordance with GAAP. AGENCY PRELIMINARY RESPONSE MEDC agrees with the recommendation and indicated that MEDC's long-standing policy has been to adjust investment values for impairment losses only when a significant event occurred, such as bankruptcy filing or the closing of the investee's business. MEDC indicated that it will implement a process to also include an annual review of investments that will consider any known factors that could cause an investment impairment loss. FINDING 2. Great Plains Access Controls MEDC had not established effective access controls* over its Great Plains accounting system (Great Plains). As a result, MEDC could not ensure that it was able to prevent or detect errors or irregularities that may be caused by users performing unauthorized activities. Department of Technology, Management, and Budget (DTMB) Administrative Guide policy 1335 and related technical standards provide that management of State agency information systems implement sufficient system access controls to ensure that users perform only authorized activities relevant to their respective job requirements and to ensure adequate segregation of duties* in performing activities. DTMB Administrative Guide policy 1335 and related technical standards also provide that management should perform a regular review of all accounts and related privileges and require password changes in State agency information systems at least every 90 days. MEDC uses Great Plains to record disbursements and other accounting transactions related to its nonappropriated funded activity. MEDC issued payments totaling $42.8 million to vendors using Great Plains in fiscal year 2012-13. * See glossary at end of report for definition. 12

Our review of MEDC's access controls over Great Plains disclosed: a. MEDC did not restrict the ability to update vendor information in Great Plains to the one individual who was assigned this responsibility. We noted that 21 users had the ability to create and edit vendor information, including the ability to edit vendor names, addresses, and bank account information used to wire payments. In addition, we noted that 7 (33.3%) of these 21 users also had the ability to approve payments. MEDC informed us that it was unaware that the 21 users' access rights allowed them to also update vendor information. b. MEDC did not require the periodic changing of the password used to release transactions and did not know when the password was last changed. RECOMMENDATION We recommend that MEDC establish effective access controls over Great Plains. AGENCY PRELIMINARY RESPONSE MEDC agrees with the recommendation and indicated that it has already implemented the following corrective actions: a. At MEDC's request, CBI Partners, the software hosting provider, has removed the ability to create and edit vendor information for all employees except the two employees responsible for vendor management. These employees are not involved in creating purchase orders or issuing payments. b. At MEDC's request, new passwords have been assigned for each process and a process has been added to have CBI Partners change them every six months. FINDING 3. Salesforce Access Controls MEDC had not established effective access controls over its Salesforce customer relationship management system (Salesforce). As a result, MEDC could not 13

ensure that payment requests initiated through Salesforce were properly authorized and for the correct amounts prior to recording the payments in its financial accounting systems. DTMB Administrative Guide policy 1335 and related technical standards provide that management of State agency information systems implement sufficient system access controls to ensure that users perform only authorized activities relevant to their respective job requirements and to ensure adequate segregation of duties in performing activities. DTMB Administrative Guide policy 1335 and related technical standards also provide that management should perform a regular review of all accounts and related privileges. MEDC uses Salesforce to track and document payment requests for many of its grants, loans, and contracts. MEDC reported that total payments authorized through Salesforce for both MEDC and Michigan Strategic Fund programs totaled $71.3 million in fiscal year 2012-13. Our review of MEDC's access controls over Salesforce disclosed: a. MEDC did not limit the number of system administrators* and did not assign appropriate access rights to system administrators to ensure proper segregation of duties. We noted 18 system administrators who had the ability to log in as other users and perform activities without the use of a user password. b. MEDC did not sufficiently monitor user activity, including system administrators, within Salesforce to ensure that users performed only authorized activities relevant to their respective jobs and positions. For example, users with the ability to approve grant payments also had the ability to change payment amounts prior to approving payments in Salesforce. MEDC informed us that, although an audit trail exists in Salesforce, it did not regularly monitor this audit trail. c. MEDC had not established a formal process to periodically review user access rights to ensure that only authorized users had access to Salesforce and that the users' access rights were commensurate with their job duties. * See glossary at end of report for definition. 14

RECOMMENDATION We recommend that MEDC establish effective access controls over Salesforce. AGENCY PRELIMINARY RESPONSE MEDC agrees with the recommendation and indicated that it has implemented or will implement corrective action. MEDC also believes that it is important to note there is no evidence or even a suggestion of abuse of Salesforce system administrator privileges. However, MEDC informed us that it has implemented the following corrective actions: In response to part a., MEDC has reduced the number of system administrators from 18 to 13 and will review the necessity of these privileges on an ongoing basis. In response to part b., MEDC has determined that Salesforce has the capability to disable the global capability for system administrators to log on as other users. MEDC has requested Salesforce to disable this feature. The following corrective actions will be implemented within the next 60 days: In response to part b., MEDC will set up procedures to monitor existing payment-related audit trails on a regular basis. In response to part c., MEDC will set up a process to periodically check user access rights and privileges to ensure that the users' access rights are in sync with their job duties. 15

GLOSSARY 16

Glossary of Abbreviations and Terms access controls deficiency in internal control over financial reporting DTMB financial audit generally accepted accounting principles (GAAP) Governmental Accounting Standards Board (GASB) Great Plains internal control Controls that protect data from unauthorized modification, loss, or disclosure by restricting access and detecting inappropriate access attempts. The design or operation of a control that does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. Department of Technology, Management, and Budget. An audit that is designed to provide reasonable assurance about whether the basic financial statements of an audited entity are presented fairly, in all material respects, in accordance with the applicable financial reporting framework. A technical accounting term that encompasses the conventions, rules, guidelines, and procedures necessary to define accepted accounting practice at a particular time; also cited as "accounting principles generally accepted in the United States of America." An arm of the Financial Accounting Foundation established to promulgate standards of financial accounting and reporting with respect to activities and transactions of state and local governmental entities. Great Plains accounting system. A process, effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance about the achievement of the entity's 17

objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. material misstatement material weakness in internal control over financial reporting MEDC Salesforce segregation of duties significant deficiency in internal control over financial reporting system administrator A misstatement in the basic financial statements that causes the statements to not present fairly the financial position or the changes in financial position, and, where applicable, cash flows thereof, in accordance with the applicable financial reporting framework. A deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the basic financial statements will not be prevented, or detected and corrected, on a timely basis. Michigan Economic Development Corporation. Salesforce customer relationship management system. Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties. Proper segregation of duties requires separating the duties of reporting, review and approval of reconciliations, and approval and control of documents. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. The person responsible for administering use of a multiuser computer system, communications system, or both. 18

unmodified opinion The opinion expressed by the auditor when the auditor, having obtained sufficient appropriate audit evidence, concludes that the basic financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework. 19 oag

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback