The Statewide Risk Management Team (SRMT) has six areas of responsibility:
(1) Cyber Security "Cyber Center", (2) Enterprise System Security Administration, (3) Risk Management Reviews and Assistance, (4) Internal Control Guidance, Review and Assistance, (5) Audit Coordination, and (6) Internal Audit for CTR.
1. Cyber Center
Over the past few years cyberattacks against organizations, from large government Departments to small businesses, have been steadily growing, with hackers specifically targeting employees (phishing). And, while denial of service (DoS) attacks are still a leading form of cyber-crime, ransomware, malware and social engineering attacks are becoming more prominent in our workplace. The Commonwealth has engaged expert firms to help remediate several of these unfortunate cyber incidents and advise Departments of the proper policies and procedures to improve overall cyber hygiene. The Cyber Center features lessons learned to assist Departments with building appropriate cyber security protections and strategies as well as Cyber Incident Reports.
The SRMT manages security access for the Commonwealth’s Accounting and HR/Payroll Enterprise Systems: the Massachusetts Management Accounting and Reporting System/Labor Cost Management (MMARS/LCM), and the Human Resources/Compensation Management System (HR/CMS). Access requests are reviewed for adherence to the principles of Least Privilege and Segregation of Duties.
The SRMT also provides training for Department Security Officers (DSOs).
3. Risk Management Reviews and Assistance
The SRMT uses data analytics to identify risks in the business areas for which the Comptroller (CTR) has oversight, recommends mitigating controls for such risks, and ultimately protects against fraud, waste and abuse. SRMT also tests departments’ system transactions and back up documentation to ensure State Finance Law, and Comptroller regulations, policies and procedures are followed.
Under Chapter 647 of the Acts of 1989, the Comptroller is responsible for developing internal control guidelines for Commonwealth departments. SRMT assists departments in developing Internal Control Plans based on comprehensive assessments of risks that could impede the achievement of departments' goals and objectives.
SRMT also manages the annual Internal Control Questionnaire – a certification by departments of the existence of internal controls and best practices in various business areas to help them maintain compliance with applicable laws, regulations and policies, as well as to achieve successful program outcomes.
Coordination responsibilities include tracking the activities of various auditing entities and following up on audit findings. Departments that receive notice of an audit or review, or undertake their own department-specific audit, must notify SRMT so it can monitor potential auditor independence issues, and other auditor fiscal reviews, outcomes and reports.
6. Internal Audit for CTR
SRMT reviews the internal operations of the Comptroller’s business teams. These reviews check the effectiveness of the policies and procedures under which the teams operate in their capacity as oversight agents for the activities of other Commonwealth departments.