Skip to Main Content
September 30, 2020

COVID-19 Pandemic Response Internal Controls Guidance

An image of a masked man conducting drive-through COVID-19 tests

Each department is required to have a system of internal controls summarized in an Internal Control Plan that outlines objectives and risks and identifies the control activities that mitigate risk.

See Internal Control Guide

Department internal control plans must be based on risk assessments and updated annually, or when significant changes occur. Because the COVID-19 Pandemic has affected all departments, The Comptroller, in consultation with the State Auditor’s Office, is providing two options for updating internal controls.

  1. If the impact to your department is such that it can be reflected in your Internal Control Plan (ICP), then update the ICP as you would for any other mid-year changes.
  2. Departments experiencing a significant impact, and requiring the accumulation of substantial documentation (e.g. changes to business processes, requirements of federal and state-specific laws or guidance, new funds or new programs), can draft a separate COVID-19 Pandemic Response Plan Appendix to the ICP as an organized set (hard or soft copies) of emails, documents, risk assessments, policies, and procedures.

Following are examples of how departments might address the impact of the COVID-19 pandemic via internal controls:
Note: Departments will have different objectives/risks/controls depending on the level of impact they experience.


Objective 1: Perform a risk assessment of the impact of the COVID-19 pandemic on the operations of the department. Consultants are not required to perform a risk assessment; department internal auditors, fiscal, programmatic, and legal staff can evaluate current protocols and compliance requirements and identify the pandemic impacts.

Risk: Not thoroughly exploring all facets of the impact can leave the department unnecessarily exposed to risks it could mitigate.

Control 1: Stay up to date on alerts from the Governor’s Office, MEMA and state oversight agencies, the Centers for Disease Control, the World Health Organization, and others.

Control 2: Involve all levels of the department (leadership, fiscal, programmatic, communications, legal, HR, and payroll); include all external parties (oversight Departments, federal grantor agencies, clients/customers) in the risk exercise.

Objective 2: Develop safety protocols for the protection of staff, visitors, clients, patients, customers, and/or vendors.

Risk 1: Lack of preparedness can result in the contraction and spread of serious illness among employees and constituents, and significantly impact operational performance and compliance stability.

Control 1: Appoint a COVID-19 leadership team as subject matter experts that assure departmental compliance with all laws, regulations, mandates, safety protocols, etc., to coordinate and disseminate all related notices and communications, and to field and answer questions from our community.

Objective 3: Memorialize changes to business processes and internal controls necessitated by the response to the pandemic. Leadership disseminates to all staff with directives of expectations for compliance through adherence to all internal controls.

Risk 1: New programs, sources of funds, and/or working remotely may require doing normal business in different ways. Lack of documentation of changes to procedures, and the decisions leading to them, leave the department exposed to audit findings, and other operational and compliance compromises

Control 1: Each business unit will identify, document, and train staff on new protocols, changes to their usual protocols, and workarounds.

Control 2: Decisions are vetted and documented at the senior staff level.

Objective 4: Draft Telework and Return to Work Plans

Risk 1: Inability to continue critical operations remotely.

Control 1: Identify critical tasks throughout the department along with responsible parties and their backups, critical dependencies from other units within the department, and externally (other departments – e.g. EOTSS).

Control 2: Identify, procure and distribute the necessary equipment for employees to work remotely.

Risk 2: Exposure of department network, and Commonwealth Enterprise Systems, to malware/intrusion from unprotected home networks and equipment.

Control 1: Use only department-issued equipment (pcs, laptops, cell phones) that are set up with proper security protocols (Enterprise Security Standards).

Control 2: IT staff keeps up to date weekly on cyber alerts and needed patches from CISA, FBI, and other national sources. Ensure there is a protocol to update all remote equipment.

Department of Homeland Security Cyber Alerts:

Control 3: Ensure all equipment used for business purposes is inventoried, by item and person, including security set-ups, applications, operating systems, etc.

Control 4: Educate staff on the cybersecurity threats due to home networks/equipment (e.g. insist on secure internet connections), and how cyber attackers are exploiting the COVID-19 crisis through the use of phishing and social engineering.

Risk 3: Lack of a Return to Work plan impedes the ability of the department to provide a safe workplace to which to return and staff exposed to COVID-19 creates increased operational and compliance risks if staff become ill due to exposure.

Control 1: Stay up to date on available guidance. Some examples: Covid-19-updates-and-information


Objective 1: Track COVID-19 related awards and expenditures separately from other federal, state, and local activities (not co-mingled).

Risk 1: Including COVID-19 Related Federal Funds fund activities in reports with activities of other federal funds could result in an audit finding that jeopardizes COVID-19 Related Federal funding.

Control 1: Numerous controls currently exist within MMARS to develop separate accounting and reporting for COVID-19 Related Federal Funds. Given the familiarity of XYZ Department personnel with MMARS, there is a reasonable expectation that COVID-19 fund accounting, integrated with MMARS, will be monitored closely and separation can be maintained in regard to COVID-19 Related Federal Funds.

Control 2: Follow the Comptroller’s guidelines on transaction coding for COVID-19 funds – COVID-19 Revenue and Grants Policy.

Control 3: The CFO and Internal Control Officer will work closely work with the Comptroller’s Office as accounting and reporting processes continue to evolve. Controls will also be developed internally, as necessary, in response to guidance from the Comptroller’s Office, OSD, ANF, and other oversight and regulatory agencies.