A Performance Audit
An Audit Report on Financial Processes at the Commission on the Arts
May 2017
Summary Analysis
The Commission on the Arts (Commission) had controls to ensure that it administered financial transactions in accordance with applicable statutes, rules, and Commission policies and procedures. However, it should improve certain controls over grant monitoring and information technology systems. Specifically:
• Grant Monitoring. The Commission should ensure that it consistently obtains reports due from grant recipients before making payments for new grants to those same grant recipients. It also should strengthen its monitoring process by performing site visits at grant recipients it deems higher risk.
• Information Technology. The Commission should assign user access rights that are specific and appropriate to each user’s responsibilities, and it should routinely review user access to information technology.
The Commission also had controls to ensure that travel expenditures complied with laws, regulations, and policies, but it should strengthen its documentation related to those travel expenditures.
The Commission had controls to award and pay grants in accordance with applicable statutes, rules, and Commission policies and procedures. For all 37 grants tested, members of the Commission on the Arts formally voted to approve the grants; the Commission documented the grant recipients’ eligibility; and the Commission obtained the required documentation, including signed contracts or assurances, from the grant recipients prior to payment.
The Commission had controls to ensure that it monitored grants and grant recipients. For all 30 fiscal year 2016 grants tested, the Commission obtained required reports from grant recipients on their uses of grant funds, reviewed the reports using a standard checklist, and followed up with grant recipients to resolve any issues. In addition, the Commission performed site visits at selected grant recipients. However, the Commission should strengthen its grant monitoring process.
The Commission should consistently obtain prior reports that are due from grant recipients before making payments for new grants to those same grant recipients.
The Commission had a process to assess risks and perform site visits to grant recipients; however, it should ensure that it performs site visits to grant recipients that it identifies as higher risk.
The Commission Should Strengthen Controls Over Certain Aspects of Its Information Technology Systems
The Commission uses the Uniform Statewide Accounting System (USAS) to record, post, and report financial transactions; and it uses its Grant Management System (GMS) to store and manage grant applications, process grant payments, and monitor grant recipients.
The Commission should strengthen user access controls for USAS. In addition, the Commission should strengthen user access controls for GMS and its components.
The Commission’s change management process for GMS included appropriate testing and approvals for changes; however, that process allowed the Commission’s external vendor to both make programming changes and place those changes in the production environment.
The Commission had controls to ensure that travel reimbursements and advances complied with laws, regulations, and policies. Although all travel expenses tested were supported, the Commission did not always fully document decisions and exceptions to requirements related to travel.
Graphics, Media, Supporting documents