OLA Audit Corrective Action Plan Status Update (CAPSU) is Due 06-17-13
In accordance with MMB Operating Policy and Procedure 0102-02, OLA Audit Report Monitoring, a May 31, 2013 email was sent to designated agency contacts throughout state government requesting an update on the status of OLA audit corrective action plans. If you received this email, you must complete the CAPSU form and return it to the Internal Control & Accountability Unit by Monday, June 17, 2013.
Your timely compliance is greatly appreciated. Please contact Heidi Henry with any questions at This email address is being protected from spambots. You need JavaScript enabled to view it. or 651-201-8078, or view the http://www.beta.mmb.state.mn.us/ola-audit-report on the Internal Control website.
Reminder: Code of Conduct Recertification is due by July 1st
The Code of Conduct is one of management’s most important tools for establishing a strong internal control environment. The Code sets an appropriate "tone at the top" by outlining the standards and expectations regarding employee honesty, integrity, and ethical behavior, and by providing mechanisms for employees to report questionable or improper activities and behaviors.
MMB Statewide Operating Policy 0103-01, Code of Conduct (and related procedures), requires each agency head and employees with applicable job responsibilities to recertify their understanding of their responsibilities under the Code and their commitment to abide by the Code’s policy provisions once each fiscal year.
For the certification form and additional Code of Conduct information/requirements please see http://www.beta.mmb.state.mn.us/code-conduct
Published: MMB Statewide Procedure 0102-02.2, Risk Assessment
MMB Statewide Procedure 0102-01.2, Risk Assessment, has been published and made effective immediately. This procedure is associated with MMB Statewide Operating Policy 0102-01, Internal Control.
The procedure outlines executive agency risk assessment responsibilities and requirements, including development of a risk assessment plan for applicable agencies. The document can be accessed at http://www.beta.mmb.state.mn.us/doc/ic/ra-procedure-13.pdf. Applicable agencies must follow this procedure in order to comply with the FY2013 Internal Control Structure certification requirements, pursuant to MN Statute 16A.057, subdivision 8.
Internal Controls Bulletins
Internal Controls Bulletins are authored by the Internal Control & Accountability Unit and published monthly. The intent is to provide Minnesota state government leaders and other interested parties with a quick read about specific internal control topics. Each bulletin also provides readers with suggestions and action steps for strengthening the internal controls within their organization.
If you would like to receive the Internal Controls Bulletin each month, click here.
Most Recent
I have to do what?!?!?!?! Turning a blind eye Premortem: The art of prospective hindsight Who owns your internal controls? |
Archives2013I have to do what?!?!?!?! Turning a blind eye Premortem: The art of prospective hindsight Who owns your internal controls?
Limits of an internal control system
Annual security certification: An internal control opportunity
2012
Maintaining a neutral view
Are you building your wings on the way down?
Avoiding a culture of silence
Your reputation is your most important asset
Wringing the most out of ethics Monitoring your control environment Make your signature count Redundant control activities: Handle with care! The tone in the middle Employee engagement = Strong internal controls
Key control activities rule!
Who is your internal control champion?
2011
How internal control works in the real world
Can control activities boost efficiency?
Minimizing "pay and chase"
The flags are red for a reason
Are you ready for change? Control during shutdown recovery The state's three lines of defense Attitudes towards risk Blind trust undermines internal controls
Uncovering fraud in the workplace
"If it is not documented, did it actually happen?"
2010
The importance of reconciliations
Risk assessments: A waste of time or a best practice?
Audit finding resolution - It does an agency good
Conquering the fear of internal control
Controls over financial reporting Honesty, integrity, and ethical behavior: It's good business Demystifying risk assessments Maintaining internal controls during disruption Control activities: authorization and approval Key elements of control environment Effective communication, the underappreciated control component Information system access
2009
Internal controls and fraud Segregation of duties, an essential control activity Internal control monitoring as a continuous process Creating an ethical framework for state employee conduct Commitment to an effective internal control system Timely business expense reimbursements save money end faq
|
By Subject MatterInternal Control Structure or General ConceptsPremortem: The art of prospective hindsight Who owns your internal controls?
Limits of an internal control system
Maintaining a neutral view
Your reputation is your most important asset
Who is your internal control champion?
How internal control works in the real world Control during shutdown recovery The state's three lines of defense Attitudes towards risk Blind trust undermines internal controls
"If it is not documented, did it actually happen?"
Audit finding resolution - It does an agency good
Conquering the fear of internal control
Controls over financial reporting Honesty, integrity, and ethical behavior: It's good business Maintaining internal controls during disruption Control activities: authorization and approval Key elements of control environment Internal control monitoring as a continuous process Creating an ethical framework for state employee conduct Commitment to an effective internal control system Timely business expense reimbursements save money
Control EnvironmentWho owns your internal controls?
Maintaining a neutral view
Avoiding a culture of silence
Wringing the most out of ethics Monitoring your control environment The tone in the middle Employee engagement = Strong internal controls
The flags are red for a reason Attitudes towards risk
Audit finding resolution - It does an agency good
Conquering the fear of internal control Honesty, integrity, and ethical behavior: It's good business Key elements of control environment Effective communication, the underappreciated control component Internal controls and fraud Creating an ethical framework for state employee conduct
Risk AssessmentI have to do what?!?!?!?! Premortem: The art of prospective hindsight
Are you building your wings on the way down?
Your reputation is your most important asset Redundant control activities: Handle with care!
Key control activities rule!
How internal control works in the real world
Can control activities boost efficiency? Attitudes towards risk
"If it is not documented, did it actually happen?"
Risk assessments: A waste of time or a best practice?
Controls over financial reporting Demystifying risk assessments
Control Activities
Annual security certification: An internal control opportunity
Are you building your wings on the way down? Monitoring your control environment Make your signature count Redundant control activities: Handle with care!
Key control activities rule!
Can control activities boost efficiency?
Minimizing "pay and chase"
Are you ready for change? Control during shutdown recovery The state's three lines of defense Blind trust undermines internal controls
"If it is not documented, did it actually happen?"
The importance of reconciliations
Risk assessments: A waste of time or a best practice?
Controls over financial reporting Honesty, integrity, and ethical behavior: It's good business Demystifying risk assessments Maintaining internal controls during disruption Control activities: authorization and approval Effective communication, the underappreciated control component Information system access Segregation of duties, an essential control activity Timely business expense reimbursements save money
Information & Communication
Maintaining a neutral view
Avoiding a culture of silence
Wringing the most out of ethics The tone in the middle Employee engagement = Strong internal controls
The flags are red for a reason
Are you ready for change? Attitudes towards risk Maintaining internal controls during disruption Effective communication, the underappreciated control component
MonitoringMonitoring your control environment
How internal control works in the real world
Are you ready for change? The state's three lines of defense
Audit finding resolution - It does an agency good Internal control monitoring as a continuous process
Information Technology Security
Annual security certification: An internal control opportunity Security role assignments impact internal controls Information system access
Separation of Duties
Limits of an internal control system
Annual security certification: An internal control opportunity Security role assignments impact internal controls Segregation of duties, an essential control activity
Fraud
The flags are red for a reason The state's three lines of defense Blind trust undermines internal controls
Uncovering fraud in the workplace Internal controls and fraud
Ethics & Code of Conduct
Wringing the most out of ethics The tone in the middle
Uncovering fraud in the workplace Honesty, integrity, and ethical behavior: It's good business Key elements of control environment Internal controls and fraud Internal control monitoring as a continuous process Creating an ethical framework for state employee conduct
Compensating Controls
Annual security certification: An internal control opportunity Security role assignments impact internal controls Information system access Segregation of duties, an essential control activity
end faq
|
|
Annual Security Review and Verification
Each year, all organizations that use the SWIFT and SEMA4 systems must evaluate the security roles assigned to each of their staff and certify those role assignments to be appropriate, pursuant to MMB Statewide Operating Policy 1101-07, Security and Access. This exercise provides each organization with an excellent opportunity to re-evaluate and improve internal controls.
Management must achieve two critical objectives when assigning security roles. First, employees must be granted the access to systems, programs, and data needed to perform their specific job functions. Failure to provide sufficient access could result in business disruption or inability to deliver critical services. Second, management must maintain adequate separation between incompatible duties. Providing incompatible access to employees increases financial risk, since these employees have the ability to create and conceal fraud, misstatements, or errors in the course of their normal job duties.
Ideal segregation of duties exists when agency management separates the following functional responsibilities between business units, or at least between different individuals within a unit:
- Authorization or approval to execute transactions
- Recording transactions in accounting records
- Custody of assets involved in the transactions
- Periodic reconciliation of existing assets to recorded amounts
The following links provide guidance and assistance for system managers to make appropriate security role decisions.
MMB Statewide Operating Policy 1107, Security and Access 
| word version
MMB Statewide Procedure 1101-07.01, Agency Security Administrators | word version
MMB Statewide Procedure 1101-07.02, Compensating Controls | word version
Department of Administration Information Policy Analysis Division - not public data 
Office of Enterprise Technology security policies
MMB Statewide Security Systems Webpage
-SWIFT and SEMA4 access forms and security role descriptions
-SWIFT Conflict Matrix and SEMA4 Incompatible Access Policy – tools and guidance that identify incompatible security role combinations that present financial risks
-January 14, 2013 Agency Security Validation Webinar and related Q&A – MMB presentation about the 2013 security and verification requirements
MMB Internal Control Bulletins relating to information security and separation of duties:
1/22/13: Annual security certification: An internal control opportunity - | word version
3/29/11: Security role assignments impact internal controls | word version
5/27/10: Maintaining internal controls during disruption
4/28/10: Control activities: authorization and approval
1/26/10: Information system access
11/30/09: Segregation of duties, an essential control activity
More Articles...
Subcategories
- Risk Assessment Guide
- Memos
- Certification
-
Roundtable Meetings
Roundtable meetings are open to all Internal Auditors/Internal Control Specialist within state government. If you would like to attend a future meeting, but have not received an invitation please contact Mike Thone at This email address is being protected from spambots. You need JavaScript enabled to view it. or Heidi Henry at This email address is being protected from spambots. You need JavaScript enabled to view it. .
If you have not yet responded to the email invitation for the upcoming meeting(s), please do so immediately so that we may plan accordingly.
Finally, if you would like to review the minutes from any of the previous meetings, you can find them at http://www.beta.mmb.state.mn.us/ic-meeting-minutes.
- Information and Communication