FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-027 SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS should ensure it obtains and reviews System and Organization Controls (SOC) reports* covering the entire audit period for services provided by the State's electronic benefits transfer (EBT) service provider. We noted: a. MDHHS did not obtain and review the SOC report or obtain a bridge letter for the EBT service provider who provided services for the first month of fiscal year 2022 b. MDHHS did not obtain a bridge letter for the period not covered by the SOC report for 2 of the 4 SOC reports reviewed. c. MDHHS did not review and evaluate 2 of the 4 SOC reports received. d. MDHHS did not timely review the remaining 2 SOC reports received. Reviews occurred, on average, 124 days past the required 30 days. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits. The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG provides required SOC report review procedures and requires management to complete the review within 30 days of receiving the SOC report. Cause MDHHS stated competing priorities delayed the SOC report reviews and it did not believe they needed to review two of the SOC reports. Effect MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it obtains and reviews SOC reports covering the entire audit period for services provided by the State's EBT service provider. Management Views MDHHS agrees with the finding.
FINDING 2022-028 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury. Condition MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process. Criteria Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government. Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the ACH. Cause MDHHS informed us that because its Benefit Issuer Food Stamp Report did not include recipients who received SNAP benefits under the expanded COVID-19 eligibility requirements, it was unable to complete the reconciliation. MDHHS also noted a change in its EBT contractor contributed to the delay in modifying the report. Effect Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw. Management Views MDHHS agrees with the finding.
FINDING 2022-029 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Card Security See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure its EBT contractor conducted monthly physical inventories of EBT cards used to provide SNAP benefits to eligible individuals. MDHHS could not provide 1 (8%) of the 12 monthly reports used by the contractor to monitor EBT cards issued and replaced. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.8(b)(3) requires states to maintain adequate security over EBT cards to prevent theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use. Cause MDHHS stated a change in the EBT contractor prevented it from obtaining the October 2021 report because the prior contractor decommissioned Michigan's EBT server. Effect MDHHS cannot determine how many EBT cards were issued or replaced during October 2021. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure its EBT contractor conducts monthly physical inventories of EBT cards to monitor EBT cards issued and replaced. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-027 SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS should ensure it obtains and reviews System and Organization Controls (SOC) reports* covering the entire audit period for services provided by the State's electronic benefits transfer (EBT) service provider. We noted: a. MDHHS did not obtain and review the SOC report or obtain a bridge letter for the EBT service provider who provided services for the first month of fiscal year 2022 b. MDHHS did not obtain a bridge letter for the period not covered by the SOC report for 2 of the 4 SOC reports reviewed. c. MDHHS did not review and evaluate 2 of the 4 SOC reports received. d. MDHHS did not timely review the remaining 2 SOC reports received. Reviews occurred, on average, 124 days past the required 30 days. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits. The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG provides required SOC report review procedures and requires management to complete the review within 30 days of receiving the SOC report. Cause MDHHS stated competing priorities delayed the SOC report reviews and it did not believe they needed to review two of the SOC reports. Effect MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it obtains and reviews SOC reports covering the entire audit period for services provided by the State's EBT service provider. Management Views MDHHS agrees with the finding.
FINDING 2022-028 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury. Condition MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process. Criteria Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government. Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the ACH. Cause MDHHS informed us that because its Benefit Issuer Food Stamp Report did not include recipients who received SNAP benefits under the expanded COVID-19 eligibility requirements, it was unable to complete the reconciliation. MDHHS also noted a change in its EBT contractor contributed to the delay in modifying the report. Effect Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw. Management Views MDHHS agrees with the finding.
FINDING 2022-029 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Card Security See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure its EBT contractor conducted monthly physical inventories of EBT cards used to provide SNAP benefits to eligible individuals. MDHHS could not provide 1 (8%) of the 12 monthly reports used by the contractor to monitor EBT cards issued and replaced. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.8(b)(3) requires states to maintain adequate security over EBT cards to prevent theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use. Cause MDHHS stated a change in the EBT contractor prevented it from obtaining the October 2021 report because the prior contractor decommissioned Michigan's EBT server. Effect MDHHS cannot determine how many EBT cards were issued or replaced during October 2021. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure its EBT contractor conducts monthly physical inventories of EBT cards to monitor EBT cards issued and replaced. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-027 SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS should ensure it obtains and reviews System and Organization Controls (SOC) reports* covering the entire audit period for services provided by the State's electronic benefits transfer (EBT) service provider. We noted: a. MDHHS did not obtain and review the SOC report or obtain a bridge letter for the EBT service provider who provided services for the first month of fiscal year 2022 b. MDHHS did not obtain a bridge letter for the period not covered by the SOC report for 2 of the 4 SOC reports reviewed. c. MDHHS did not review and evaluate 2 of the 4 SOC reports received. d. MDHHS did not timely review the remaining 2 SOC reports received. Reviews occurred, on average, 124 days past the required 30 days. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits. The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG provides required SOC report review procedures and requires management to complete the review within 30 days of receiving the SOC report. Cause MDHHS stated competing priorities delayed the SOC report reviews and it did not believe they needed to review two of the SOC reports. Effect MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it obtains and reviews SOC reports covering the entire audit period for services provided by the State's EBT service provider. Management Views MDHHS agrees with the finding.
FINDING 2022-028 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury. Condition MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process. Criteria Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government. Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the ACH. Cause MDHHS informed us that because its Benefit Issuer Food Stamp Report did not include recipients who received SNAP benefits under the expanded COVID-19 eligibility requirements, it was unable to complete the reconciliation. MDHHS also noted a change in its EBT contractor contributed to the delay in modifying the report. Effect Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw. Management Views MDHHS agrees with the finding.
FINDING 2022-029 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Card Security See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure its EBT contractor conducted monthly physical inventories of EBT cards used to provide SNAP benefits to eligible individuals. MDHHS could not provide 1 (8%) of the 12 monthly reports used by the contractor to monitor EBT cards issued and replaced. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.8(b)(3) requires states to maintain adequate security over EBT cards to prevent theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use. Cause MDHHS stated a change in the EBT contractor prevented it from obtaining the October 2021 report because the prior contractor decommissioned Michigan's EBT server. Effect MDHHS cannot determine how many EBT cards were issued or replaced during October 2021. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure its EBT contractor conducts monthly physical inventories of EBT cards to monitor EBT cards issued and replaced. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-031 Pandemic EBT Food Benefits, ALN 10.542, Activities Allowed or Unallowed and Eligibility - Overpayment of Benefits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not always ensure accurate P-EBT benefits were provided to eligible beneficiaries. We noted for 1 (4%) of the 26 sampled cases reviewed, MDHHS duplicated the summer benefits resulting in an overpayment of $782. Criteria The Families First Coronavirus Response Act of 2020 (Public Law 116-127), as amended, requires MDHHS to have an approved state plan to provide P-EBT food benefits to households with children who would otherwise receive free or reduced-price meals if not for their schools being closed because of the COVID-19 emergency. MDHHS's P-EBT State Plan states it will provide the standard benefit amount for the summer period and will identify the eligible children based on eligibility in the last month of the school year. Cause MDHHS informed us that because of the timing of the 2022-2023 school enrollment for these children, a system error duplicated the 2022 summer benefits. Effect MDHHS overpaid P-EBT benefits by $782 for the sampled cases. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $782 ? federal share. Recommendation We recommend MDHHS ensure accurate P-EBT benefits are provided to eligible beneficiaries. Management Views MDHHS agrees with the finding.
FINDING 2022-032 Pandemic EBT Food Benefits, ALN 10.542, Reporting ? Report of Disaster Supplemental Nutrition Assistance Benefit Issuance See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not have a process in place to ensure it maintained documentation to support the submitted Report of Disaster Supplemental Nutrition Assistance Benefit Issuance (FNS-292B). For all 3 sampled reports, MDHHS did not retain auditable submitted information, such as copies or screen prints of submitted reports. Rather, MDHHS provided us an e-mail disclosing the information which it represented as submitted. Criteria Federal regulation 2 CFR 200.334 requires financial records, supporting documents, statistical records, and all other nonfederal entity records pertinent to a federal award must be retained for a period of three years from the date of submission of the final expenditure report. Federal Register 86:89 (11 May 2021) page 25,837 requires state agencies to report the number of eligible children and households receiving P-EBT benefits and total value of the benefits monthly. Cause MDHHS informed us it electronically submitted the FNS-292B using the Food Program Reporting System (FPRS), but it did not retain copies of the submitted reports and the submitted reports were not available in FPRS. Effect We were unable to validate the information submitted to USDA on the FNS-292B. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS establish a process to ensure it maintains documentation to support submitted FNS-292B reports. Management Views MDHHS disagrees that federal regulations require MDHHS to maintain copies or screenshots of FNS-292B information reported on the federal website. MDHHS normally has the ability to access the information on the federal system. However, during audit fieldwork, the FNS-292B information MDHHS submitted on the federal website was not viewable to the auditors because the reports were under federal review. MDHHS did not a retain a copy or screen prints of the submitted reports; however, MDHHS did maintain the underlying reports used to compile the submitted FNS-292B reports and this was provided to the auditors during fieldwork. Auditor's Comments to Management View MDHHS acknowledges it did not maintain a copy or screen prints of submitted reports. Documentation of submitted reports is necessary to provide auditable information to validate the accuracy of the report submission. MDHHS provided a spreadsheet and an e-mail disclosing the information which it represented as submitted; however, this information did not substantiate the FNS-292B was accurately submitted. Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-001 Confidential Information in SIGMA* See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Military and Veterans Affairs (DMVA) and the Michigan Department of State Police (MSP) included user identification (ID) numbers, deemed confidential information by the Department of Technology, Management, and Budget (DTMB) policy, within document attachments when entering program expenditures in the Statewide Integrated Governmental Management Applications (SIGMA). Criteria Title 2, Part 200, section 303(e) of the Code of Federal Regulations* (CFR) requires the State to take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive or the State considers sensitive consistent with applicable federal, state, local, and tribal laws regarding privacy and obligations of confidentiality*. State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity*, and availability* of State of Michigan information. The policy also requires State agencies to identify and classify their information assets based on sensitivity, criticality, and risk. State of Michigan (SOM) Technical Standard 1340.00.150.02 provides a data classification framework, including examples of confidential and restricted data, to assist State agencies in protecting the confidentiality, integrity, and availability of their systems and information. DTMB Administrative Policy 900.01, last revised in November 2016, established a data classification framework for its information assets, which includes SIGMA. Also, the policy defines and provides examples of confidential data, such as user IDs. Cause SIGMA users were unaware of the DTMB policy identifying user ID as confidential information. When DTMB Administrative Policy 900.01 was originally drafted, user ID was included as an example since the data element could be considered confidential by an organization unit. Effect State employees without a business need had the ability to view confidential information in SIGMA. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend DMVA and MSP adhere to established DTMB policies for confidential information in SIGMA. Management Views DMVA and MSP disagree that confidential information was included in SIGMA. Follow-up with DTMB confirmed that user ID is not considered confidential data at the DTMB enterprise level. Auditor's Comments to Management Views* In June 2023, subsequent to our review, DTMB revised the DTMB Administrative Policy 900.01. These revisions do not negate that a significant deficiency existed in fiscal year 2022. Therefore, the finding stands as written.
FINDING 2022-002 SIGMA High-Risk Activity Monitoring See Schedule of Findings and Questioned Costs for chart/table. Condition DTMB did not sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. We noted DTMB did not perform the high-risk activity monitoring in a timely manner for all 6 sampled reports. DTMB provided evidence it reviewed the reports; however, on average, these reviews were completed 313 days after the reporting periods. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse. Cause DTMB informed us a lack of oversight prevented the timely review of high-risk activity reports, and it has since reassigned staff responsibilities accordingly. Effect Individuals may have made inappropriate bypass or override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists that DTMB did not identify inappropriate or high-risk activity associated with SIGMA transactions. Known Questioned Costs None. Recommendation We recommend DTMB sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. Management Views DTMB agrees with the finding.
FINDING 2022-033 National Guard Military Operations and Maintenance (O&M) Projects, ALN 12.401, Cash Management - Timeliness of Cash Draws See Schedule of Findings and Questioned Costs for chart/table. Condition DMVA did not ensure its reimbursement requests were prepared in accordance with the CMIA, the program Master Cooperative Agreement, and National Guard Regulations. We sampled 40 cash draws and noted: a. DMVA prepared reimbursement requests from 71 to 189 days after the close of the month for 5 (13%) sampled cash draws. b. DMVA did not maintain documentation to support the timeliness of reimbursement requests for 5 (13%) sampled cash draws. c. DMVA did not timely submit an expenditure report for federal approval for 1 (3%) sampled cash draw. Criteria Federal regulation 31 CFR 205 Subpart B and the Master Cooperative Agreement require a State must minimize the time between the drawdown of federal funds from the federal government and their disbursement for federal program purposes. The timing and amount of funds transfers must be as close as is administratively feasible to a state's actual cash outlay for direct program costs. National Guard Regulation 5-1 requires the grantee to expend state government funds first and then to submit request for reimbursement for allowable cooperative agreement costs. For construction appendices, DMVA sends the expenditure reports to the federal Construction and Facilities Management Officer (CFMO) for review and approval of the federal coding to be applied prior to DMVA preparing the reimbursement request. After the CFMO approves the coding, DMVA prepares the SF-270 and sends it back to the CFMO for final approval and submission to the United States Property and Fiscal Office. Cause DMVA informed us year-end closing activities and delays in receiving information from federal program managers impacted the timeliness of draws. Effect DMVA limited its assurance it complied with CMIA. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend DMVA ensure its reimbursement requests are prepared in accordance with the CMIA, the program Master Cooperative Agreement, and National Guard Regulations. Management Views DMVA agrees with the finding.
FINDING 2022-034 Community Development Block Grants/State's program, ALN 14.228, Reporting - Timeliness of Performance Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSHDA did not ensure timely submission of the Consolidated Annual Performance and Evaluation Report. We noted MSHDA's 2021 program year report, which included Community Development Block Grant (CDBG) performance information compiled by the Michigan Strategic Fund (MSF), was due in September 2022 but was not submitted until March 2023. Criteria Federal regulation 24 CFR 91.520 requires an annual review and report of the progress made in carrying out a jurisdiction's strategic and action plans. This performance report is required to be submitted to the U.S. Department of Housing and Urban Development (HUD) within 90 days after the close of MSHDA's program year. Cause MSHDA informed us the 2021 program year report was not submitted timely because of miscommunication among its staff. MSHDA inaccurately believed a federal waiver applicable to the report due in fiscal year 2021 was still applicable for the report due in fiscal year 2022. Effect MSHDA may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of HUD funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSHDA ensure it timely submits the Consolidated Annual Performance and Evaluation Report. Management Views MSHDA agrees with the finding.
FINDING 2022-035 Community Development Block Grants/State's program, ALN 14.228, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSF did not ensure it reported all CDBG subawards as required by FFATA. We reviewed 36 subawards totaling $70,219,077 and noted MSF did not report 2 (6%) subawards totaling $7,675,940. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MSF to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MSF informed us these 2 subrecipients did not register for a unique entity identifier, which was required for FFATA reporting as of April 4, 2022. Effect MSF grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSF ensure it reports all CDBG subawards as required by FFATA. Management Views MSF agrees with the finding.
FINDING 2022-034 Community Development Block Grants/State's program, ALN 14.228, Reporting - Timeliness of Performance Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSHDA did not ensure timely submission of the Consolidated Annual Performance and Evaluation Report. We noted MSHDA's 2021 program year report, which included Community Development Block Grant (CDBG) performance information compiled by the Michigan Strategic Fund (MSF), was due in September 2022 but was not submitted until March 2023. Criteria Federal regulation 24 CFR 91.520 requires an annual review and report of the progress made in carrying out a jurisdiction's strategic and action plans. This performance report is required to be submitted to the U.S. Department of Housing and Urban Development (HUD) within 90 days after the close of MSHDA's program year. Cause MSHDA informed us the 2021 program year report was not submitted timely because of miscommunication among its staff. MSHDA inaccurately believed a federal waiver applicable to the report due in fiscal year 2021 was still applicable for the report due in fiscal year 2022. Effect MSHDA may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of HUD funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSHDA ensure it timely submits the Consolidated Annual Performance and Evaluation Report. Management Views MSHDA agrees with the finding.
FINDING 2022-035 Community Development Block Grants/State's program, ALN 14.228, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSF did not ensure it reported all CDBG subawards as required by FFATA. We reviewed 36 subawards totaling $70,219,077 and noted MSF did not report 2 (6%) subawards totaling $7,675,940. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MSF to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MSF informed us these 2 subrecipients did not register for a unique entity identifier, which was required for FFATA reporting as of April 4, 2022. Effect MSF grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSF ensure it reports all CDBG subawards as required by FFATA. Management Views MSF agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-036 Crime Victim Assistance, ALN 16.575, Eligibility - Subrecipient Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not have a process in place to ensure subrecipients met all federal eligibility requirements prior to awarding funds. Our review of 21 subrecipients noted the application documents and agreements lacked specific subrecipient eligibility requirements, such as the subrecipients' identification of financial support from sources other than the award or that they do not discriminate against victims because they disagree with the way the State is prosecuting the criminal case. We were able to determine the subrecipients' eligibility based on information provided subsequent to the award. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal law 34 USC 20103(b) requires MDHHS subrecipients to meet specific requirements to be eligible to receive a grant award. Cause MDHHS informed us that during its process to align policies and procedures for multiple programs, some intended eligibility requirements were inadvertently excluded from some subrecipient agreements. Effect Without a process and internal control in place to ensure subrecipient eligibility, MDHHS may have made payments to ineligible subrecipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS establish a process to ensure subrecipients meet all federal eligibility requirements prior to awarding funds. Management Views MDHHS agrees with the finding.
FINDING 2022-037 Crime Victim Assistance, ALN 16.575, Subrecipient Monitoring - Risk Assessment and During-the-Award Monitoring See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not sufficiently monitor and evaluate the risk of noncompliance with program requirements. We noted: a. MDHHS did not sufficiently monitor service activity for 3 (14%) of 21 subrecipients during fiscal year 2022. For 2 of the 3 subrecipients, MDHHS did not monitor the service activity for all quarters of fiscal year 2022. For 1 of the 3 subrecipients, MDHHS did not require the subrecipient to provide service activity data for its review. b. MDHHS did not evaluate 1 (5%) of 21 subrecipient's risk of noncompliance with program requirements to determine and implement the type of monitoring appropriate for the subrecipient. Criteria Federal regulation 2 CFR 200.332(d) requires MDHHS to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. In addition, federal regulation 2 CFR 200.332(b) requires MDHHS to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. As part of its monitoring procedures, MDHHS reviews subrecipient service activity data. Cause For part a., MDHHS informed us data was reviewed and certified by the grantee, but MDHHS did not document its review in the log. For the service activity data that was not reviewed, MDHHS believed the administrative portion of the Crime Victims Assistance funds did not require service activity reports. For part b., MDHHS informed us it completes its annual risk assessment by November 15 and adjusts its monitoring plan for any awards issued through March 31. The grant agreement commenced May 1, 2022 and continued through September 30, 2022 and, therefore, was not included in the fiscal year 2022 monitoring plan. Effect Insufficient monitoring and evaluation of subrecipients could increase the subrecipients' and MDHHS's noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS sufficiently monitor and evaluate the risk of noncompliance with program requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-010 MARS User Access See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted: a. LEO did not review MARS user access semiannually for privileged accounts or annually for all other accounts. b. LEO did not disable 83 (44%) of 189 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2022. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts and the information system to automatically disable inactive user accounts after 60 days. Cause LEO informed us that because of staffing limitations, some processes could not be followed or established. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients* of federal awards. Known Questioned Costs None. Recommendation We recommend LEO fully establish effective user access controls over MARS. Management Views LEO agrees with the finding.
FINDING 2022-038 WIOA Cluster, ALN 17.258, 17.259, and 17.278, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition LEO did not ensure it timely reported WIOA Cluster subaward information required by the FFATA. We tested 25 subawards totaling $15,812,845 and noted LEO did not timely report subaward information for 10 (40%) subawards totaling $9,013,017. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires LEO report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause LEO informed us competing priorities impacted its ability to timely complete FFATA reporting. Effect LEO grant information was not available timely for public access through the federal website established to improve transparency of government spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend LEO ensure that it timely reports WIOA Cluster subaward information as required by FFATA. Management Views LEO agrees with the finding.
FINDING 2022-010 MARS User Access See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted: a. LEO did not review MARS user access semiannually for privileged accounts or annually for all other accounts. b. LEO did not disable 83 (44%) of 189 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2022. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts and the information system to automatically disable inactive user accounts after 60 days. Cause LEO informed us that because of staffing limitations, some processes could not be followed or established. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients* of federal awards. Known Questioned Costs None. Recommendation We recommend LEO fully establish effective user access controls over MARS. Management Views LEO agrees with the finding.
FINDING 2022-038 WIOA Cluster, ALN 17.258, 17.259, and 17.278, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition LEO did not ensure it timely reported WIOA Cluster subaward information required by the FFATA. We tested 25 subawards totaling $15,812,845 and noted LEO did not timely report subaward information for 10 (40%) subawards totaling $9,013,017. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires LEO report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause LEO informed us competing priorities impacted its ability to timely complete FFATA reporting. Effect LEO grant information was not available timely for public access through the federal website established to improve transparency of government spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend LEO ensure that it timely reports WIOA Cluster subaward information as required by FFATA. Management Views LEO agrees with the finding.
FINDING 2022-010 MARS User Access See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted: a. LEO did not review MARS user access semiannually for privileged accounts or annually for all other accounts. b. LEO did not disable 83 (44%) of 189 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2022. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts and the information system to automatically disable inactive user accounts after 60 days. Cause LEO informed us that because of staffing limitations, some processes could not be followed or established. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients* of federal awards. Known Questioned Costs None. Recommendation We recommend LEO fully establish effective user access controls over MARS. Management Views LEO agrees with the finding.
FINDING 2022-038 WIOA Cluster, ALN 17.258, 17.259, and 17.278, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition LEO did not ensure it timely reported WIOA Cluster subaward information required by the FFATA. We tested 25 subawards totaling $15,812,845 and noted LEO did not timely report subaward information for 10 (40%) subawards totaling $9,013,017. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires LEO report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause LEO informed us competing priorities impacted its ability to timely complete FFATA reporting. Effect LEO grant information was not available timely for public access through the federal website established to improve transparency of government spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend LEO ensure that it timely reports WIOA Cluster subaward information as required by FFATA. Management Views LEO agrees with the finding.
FINDING 2022-062 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance and Material Weakness Compliance Requirement: Allowable Costs/Cost Principles and Eligibility Known Questioned Costs: Undeterminable Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: The federal government set a prescribed claim progression and eligibility requirements for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for regular unemployment compensation, the claimant is ineligible for receiving benefits under the Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must exhaust all rights to benefits under the previous claim type within the progression to become eligible for the subsequent claim type. Condition: In certain instances, the benefit system allowed for the payment of benefits under the PUA, PEUC, and EB programs when claimants were eligible for regular unemployment compensation or prior to the exhaustion of the previous claim type within the progression. Cause: Proper controls were not set within the benefit system to ensure proper eligibility and claim progression. Effect: Payments of benefits under federal programs have no net effect on the net position of the Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under regular unemployment compensation reduce the net position of the Fund. Additionally, improper payments of benefits under federal programs create unallowed federal costs. Recommendation: We recommend that the Agency improve controls in the benefit system to ensure proper eligibility and claim progression. Views of Responsible Officials: Management agrees with the finding. Programming in currently in development to correct weeks paid and charged under one program which should have been paid and charged under a different program. A high priority focus is being given to weeks paid on PUA instead of EB and EB paid beyond the high unemployment period (HUP). Open SQRs to resolve this finding include: SQR 28182 ? Weeks Number; SQR 36521 ? Weeks Transfer Waivers; SQR 35565 ? EB WeeksDelta Correction; and SQR 35994 WeeksDelta Overpayment Waiver. The expected completion date is December 31, 2023.
FINDING 2022-063 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-002. Finding 2022-002 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Various Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments Known Questioned Costs: None Repeat Finding: 2021-002 Systemic or Isolated: Systematic Criteria: States are prohibited from providing relief from charges to an employer?s unemployment compensation account when the benefit overpayments are the result of the employer?s failure to respond timely or adequately to a request for information. Condition: The Agency elected to relieve charges to an employer?s unemployment compensation account when the benefit payment was the result of the employer?s failure to respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for employers within the State. Cause: The Agency implemented an SQR to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers did not have their charges associated with Covid-19 claims relieved. Effect: Certain nonresponsive employers incorrectly had their unemployment compensation account charged for benefits during the Covid-19 Pandemic. The Agency?s policy to provide relief for employers during the Pandemic was not applied consistently to each employer. Recommendation: We recommend that the Agency review the logic of the SQR that was implemented to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic and review the benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine which employers were erroneously charged. Views of Responsible Officials: Management agrees with the finding. The Agency will review employer charging (SQR 36549), which is still in progress but has been delayed from the original anticipated completion date of September 30, 2022, due to conflicting prioritizations. The expected completion date is December 31, 2023.
FINDING 2022-064 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-003. Finding 2022-003 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity ? Overpayments Known Questioned Costs: None Repeat Finding: 2021-003 Systemic or Isolated: Systemic Criteria: Offsets of future unemployment compensation payments to recover prior overpayments are limited to the recovery of the prior overpayment amount in accordance with federal guidance. Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the original benefit overpayment were used to recover penalties and interest. Cause: Due to the continual movement of monies as a result of changes in amounts due resulting from corrections or appeal decisions, a parameter has not been established in the benefit system to account for every possible scenario to prevent the allocation of unapplied recoveries to penalties and interest after overpayment amounts due were satisfied. Effect: Interest and penalties due under federal and state law were recovered from offsets of unemployment compensation payments. Recommendation: We recommend that the Agency add a parameter to the automated system to ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment amounts. Views of Responsible Officials: Management agrees with the finding. The necessary parameter was previously implemented that prevented the inappropriate allocations on current and subsequent benefit payment recoveries; however, subsequent reallocations of monies under specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund Accounting section will perform a monthly review to confirm that no prior period adjustments reallocated recoupments to penalty and interest. The review to date has determined that the adjustment amounts are immaterial. An automated solution does not appear obtainable in the current system. The Agency is in the process of implementing a new automated system and will ensure these adjustments are programmed correctly. The expected completion date is December 31, 2025.
FINDING 2022-065 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Administration Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and AL Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: UI-32846-19-60-A-26 01/01/2019 ? 06/30/2021 UI-35951-21-60-A-26 01/01/2021 ? 09/30/2023 UI-37230-22-55-A-26 10/01/2021 ? 12/31/2024 UI-34722-20-55-A-26 04/01/2020 ? 06/30/2023 Type of Finding: Significant Deficiency and Noncompliance Compliance Requirement: Activities Allowed or Unallowed and Reporting Known Questioned Costs: None Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: Management is responsible for the fair presentation of the financial statements and schedule of expenditures of federal awards in accordance with generally accepted accounting principles, including proper classification and presentation of grant expenditure amounts, as well as accurate reporting of expenditures of federal grant awards on grant reports. Condition: Amounts charged to certain federal grants were not accurately determined or reported due to use of outdated ETA report information in the process of allocating certain expenditures among available federal grants. The total expenditures on the schedule of expenditures of federal awards was not impacted by this error. Cause: Management indicated the errors were due to use of outdated ETA 902P report data in the worksheet used to calculate the allocations of federal expenditures among available federal awards. This was due to revisions made to the ETA 902P reports for fiscal year 2022. The Fund did not have an adequate process in place to ensure an effective review was conducted of the allocation inputs. Effect: Adjustments to the schedule of expenditures of federal awards were required to correct the grant expenditure amounts reported, and certain grant expenditures were not reported correctly on grant reports. Absent effective procedures for properly allocating expenditures to available grants, there exists a potential for amounts to be charged to grants and reported in error and for misstatements in the financial statements and schedule of expenditures of federal awards to go undetected. Recommendation: We recommend management improve controls related to allocations of expenditures to available federal grants to ensure amounts are determined and reported in accordance with an appropriate and accurate allocation methodology. Views of Responsible Officials: The Michigan Department of Labor & Economic Opportunity (LEO) agrees with this finding and recommendation.
FINDING 2022-062 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance and Material Weakness Compliance Requirement: Allowable Costs/Cost Principles and Eligibility Known Questioned Costs: Undeterminable Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: The federal government set a prescribed claim progression and eligibility requirements for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for regular unemployment compensation, the claimant is ineligible for receiving benefits under the Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must exhaust all rights to benefits under the previous claim type within the progression to become eligible for the subsequent claim type. Condition: In certain instances, the benefit system allowed for the payment of benefits under the PUA, PEUC, and EB programs when claimants were eligible for regular unemployment compensation or prior to the exhaustion of the previous claim type within the progression. Cause: Proper controls were not set within the benefit system to ensure proper eligibility and claim progression. Effect: Payments of benefits under federal programs have no net effect on the net position of the Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under regular unemployment compensation reduce the net position of the Fund. Additionally, improper payments of benefits under federal programs create unallowed federal costs. Recommendation: We recommend that the Agency improve controls in the benefit system to ensure proper eligibility and claim progression. Views of Responsible Officials: Management agrees with the finding. Programming in currently in development to correct weeks paid and charged under one program which should have been paid and charged under a different program. A high priority focus is being given to weeks paid on PUA instead of EB and EB paid beyond the high unemployment period (HUP). Open SQRs to resolve this finding include: SQR 28182 ? Weeks Number; SQR 36521 ? Weeks Transfer Waivers; SQR 35565 ? EB WeeksDelta Correction; and SQR 35994 WeeksDelta Overpayment Waiver. The expected completion date is December 31, 2023.
FINDING 2022-063 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-002. Finding 2022-002 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Various Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments Known Questioned Costs: None Repeat Finding: 2021-002 Systemic or Isolated: Systematic Criteria: States are prohibited from providing relief from charges to an employer?s unemployment compensation account when the benefit overpayments are the result of the employer?s failure to respond timely or adequately to a request for information. Condition: The Agency elected to relieve charges to an employer?s unemployment compensation account when the benefit payment was the result of the employer?s failure to respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for employers within the State. Cause: The Agency implemented an SQR to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers did not have their charges associated with Covid-19 claims relieved. Effect: Certain nonresponsive employers incorrectly had their unemployment compensation account charged for benefits during the Covid-19 Pandemic. The Agency?s policy to provide relief for employers during the Pandemic was not applied consistently to each employer. Recommendation: We recommend that the Agency review the logic of the SQR that was implemented to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic and review the benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine which employers were erroneously charged. Views of Responsible Officials: Management agrees with the finding. The Agency will review employer charging (SQR 36549), which is still in progress but has been delayed from the original anticipated completion date of September 30, 2022, due to conflicting prioritizations. The expected completion date is December 31, 2023.
FINDING 2022-064 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-003. Finding 2022-003 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity ? Overpayments Known Questioned Costs: None Repeat Finding: 2021-003 Systemic or Isolated: Systemic Criteria: Offsets of future unemployment compensation payments to recover prior overpayments are limited to the recovery of the prior overpayment amount in accordance with federal guidance. Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the original benefit overpayment were used to recover penalties and interest. Cause: Due to the continual movement of monies as a result of changes in amounts due resulting from corrections or appeal decisions, a parameter has not been established in the benefit system to account for every possible scenario to prevent the allocation of unapplied recoveries to penalties and interest after overpayment amounts due were satisfied. Effect: Interest and penalties due under federal and state law were recovered from offsets of unemployment compensation payments. Recommendation: We recommend that the Agency add a parameter to the automated system to ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment amounts. Views of Responsible Officials: Management agrees with the finding. The necessary parameter was previously implemented that prevented the inappropriate allocations on current and subsequent benefit payment recoveries; however, subsequent reallocations of monies under specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund Accounting section will perform a monthly review to confirm that no prior period adjustments reallocated recoupments to penalty and interest. The review to date has determined that the adjustment amounts are immaterial. An automated solution does not appear obtainable in the current system. The Agency is in the process of implementing a new automated system and will ensure these adjustments are programmed correctly. The expected completion date is December 31, 2025.
FINDING 2022-065 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Administration Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and AL Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: UI-32846-19-60-A-26 01/01/2019 ? 06/30/2021 UI-35951-21-60-A-26 01/01/2021 ? 09/30/2023 UI-37230-22-55-A-26 10/01/2021 ? 12/31/2024 UI-34722-20-55-A-26 04/01/2020 ? 06/30/2023 Type of Finding: Significant Deficiency and Noncompliance Compliance Requirement: Activities Allowed or Unallowed and Reporting Known Questioned Costs: None Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: Management is responsible for the fair presentation of the financial statements and schedule of expenditures of federal awards in accordance with generally accepted accounting principles, including proper classification and presentation of grant expenditure amounts, as well as accurate reporting of expenditures of federal grant awards on grant reports. Condition: Amounts charged to certain federal grants were not accurately determined or reported due to use of outdated ETA report information in the process of allocating certain expenditures among available federal grants. The total expenditures on the schedule of expenditures of federal awards was not impacted by this error. Cause: Management indicated the errors were due to use of outdated ETA 902P report data in the worksheet used to calculate the allocations of federal expenditures among available federal awards. This was due to revisions made to the ETA 902P reports for fiscal year 2022. The Fund did not have an adequate process in place to ensure an effective review was conducted of the allocation inputs. Effect: Adjustments to the schedule of expenditures of federal awards were required to correct the grant expenditure amounts reported, and certain grant expenditures were not reported correctly on grant reports. Absent effective procedures for properly allocating expenditures to available grants, there exists a potential for amounts to be charged to grants and reported in error and for misstatements in the financial statements and schedule of expenditures of federal awards to go undetected. Recommendation: We recommend management improve controls related to allocations of expenditures to available federal grants to ensure amounts are determined and reported in accordance with an appropriate and accurate allocation methodology. Views of Responsible Officials: The Michigan Department of Labor & Economic Opportunity (LEO) agrees with this finding and recommendation.
FINDING 2022-062 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance and Material Weakness Compliance Requirement: Allowable Costs/Cost Principles and Eligibility Known Questioned Costs: Undeterminable Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: The federal government set a prescribed claim progression and eligibility requirements for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for regular unemployment compensation, the claimant is ineligible for receiving benefits under the Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must exhaust all rights to benefits under the previous claim type within the progression to become eligible for the subsequent claim type. Condition: In certain instances, the benefit system allowed for the payment of benefits under the PUA, PEUC, and EB programs when claimants were eligible for regular unemployment compensation or prior to the exhaustion of the previous claim type within the progression. Cause: Proper controls were not set within the benefit system to ensure proper eligibility and claim progression. Effect: Payments of benefits under federal programs have no net effect on the net position of the Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under regular unemployment compensation reduce the net position of the Fund. Additionally, improper payments of benefits under federal programs create unallowed federal costs. Recommendation: We recommend that the Agency improve controls in the benefit system to ensure proper eligibility and claim progression. Views of Responsible Officials: Management agrees with the finding. Programming in currently in development to correct weeks paid and charged under one program which should have been paid and charged under a different program. A high priority focus is being given to weeks paid on PUA instead of EB and EB paid beyond the high unemployment period (HUP). Open SQRs to resolve this finding include: SQR 28182 ? Weeks Number; SQR 36521 ? Weeks Transfer Waivers; SQR 35565 ? EB WeeksDelta Correction; and SQR 35994 WeeksDelta Overpayment Waiver. The expected completion date is December 31, 2023.
FINDING 2022-063 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-002. Finding 2022-002 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Various Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments Known Questioned Costs: None Repeat Finding: 2021-002 Systemic or Isolated: Systematic Criteria: States are prohibited from providing relief from charges to an employer?s unemployment compensation account when the benefit overpayments are the result of the employer?s failure to respond timely or adequately to a request for information. Condition: The Agency elected to relieve charges to an employer?s unemployment compensation account when the benefit payment was the result of the employer?s failure to respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for employers within the State. Cause: The Agency implemented an SQR to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers did not have their charges associated with Covid-19 claims relieved. Effect: Certain nonresponsive employers incorrectly had their unemployment compensation account charged for benefits during the Covid-19 Pandemic. The Agency?s policy to provide relief for employers during the Pandemic was not applied consistently to each employer. Recommendation: We recommend that the Agency review the logic of the SQR that was implemented to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic and review the benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine which employers were erroneously charged. Views of Responsible Officials: Management agrees with the finding. The Agency will review employer charging (SQR 36549), which is still in progress but has been delayed from the original anticipated completion date of September 30, 2022, due to conflicting prioritizations. The expected completion date is December 31, 2023.
FINDING 2022-064 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-003. Finding 2022-003 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity ? Overpayments Known Questioned Costs: None Repeat Finding: 2021-003 Systemic or Isolated: Systemic Criteria: Offsets of future unemployment compensation payments to recover prior overpayments are limited to the recovery of the prior overpayment amount in accordance with federal guidance. Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the original benefit overpayment were used to recover penalties and interest. Cause: Due to the continual movement of monies as a result of changes in amounts due resulting from corrections or appeal decisions, a parameter has not been established in the benefit system to account for every possible scenario to prevent the allocation of unapplied recoveries to penalties and interest after overpayment amounts due were satisfied. Effect: Interest and penalties due under federal and state law were recovered from offsets of unemployment compensation payments. Recommendation: We recommend that the Agency add a parameter to the automated system to ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment amounts. Views of Responsible Officials: Management agrees with the finding. The necessary parameter was previously implemented that prevented the inappropriate allocations on current and subsequent benefit payment recoveries; however, subsequent reallocations of monies under specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund Accounting section will perform a monthly review to confirm that no prior period adjustments reallocated recoupments to penalty and interest. The review to date has determined that the adjustment amounts are immaterial. An automated solution does not appear obtainable in the current system. The Agency is in the process of implementing a new automated system and will ensure these adjustments are programmed correctly. The expected completion date is December 31, 2025.
FINDING 2022-065 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Administration Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and AL Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: UI-32846-19-60-A-26 01/01/2019 ? 06/30/2021 UI-35951-21-60-A-26 01/01/2021 ? 09/30/2023 UI-37230-22-55-A-26 10/01/2021 ? 12/31/2024 UI-34722-20-55-A-26 04/01/2020 ? 06/30/2023 Type of Finding: Significant Deficiency and Noncompliance Compliance Requirement: Activities Allowed or Unallowed and Reporting Known Questioned Costs: None Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: Management is responsible for the fair presentation of the financial statements and schedule of expenditures of federal awards in accordance with generally accepted accounting principles, including proper classification and presentation of grant expenditure amounts, as well as accurate reporting of expenditures of federal grant awards on grant reports. Condition: Amounts charged to certain federal grants were not accurately determined or reported due to use of outdated ETA report information in the process of allocating certain expenditures among available federal grants. The total expenditures on the schedule of expenditures of federal awards was not impacted by this error. Cause: Management indicated the errors were due to use of outdated ETA 902P report data in the worksheet used to calculate the allocations of federal expenditures among available federal awards. This was due to revisions made to the ETA 902P reports for fiscal year 2022. The Fund did not have an adequate process in place to ensure an effective review was conducted of the allocation inputs. Effect: Adjustments to the schedule of expenditures of federal awards were required to correct the grant expenditure amounts reported, and certain grant expenditures were not reported correctly on grant reports. Absent effective procedures for properly allocating expenditures to available grants, there exists a potential for amounts to be charged to grants and reported in error and for misstatements in the financial statements and schedule of expenditures of federal awards to go undetected. Recommendation: We recommend management improve controls related to allocations of expenditures to available federal grants to ensure amounts are determined and reported in accordance with an appropriate and accurate allocation methodology. Views of Responsible Officials: The Michigan Department of Labor & Economic Opportunity (LEO) agrees with this finding and recommendation.
FINDING 2022-039 Formula Grants for Rural Areas and Tribal Transit Program, ALN 20.509, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Subrecipient Monitoring - PTMS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over Public Transportation Management System (PTMS) users. Program subrecipients utilize PTMS to submit applications, operating assistance reports, payment requests, and inventory, such as vehicles, equipment, and facilities and renovations. Also, MDOT program staff utilize PTMS to manage subgrants and review and approve subrecipient payment requests. We noted: a. MDOT did not ensure it properly approved access for 2 of 7 sampled PTMS user accounts. b. MDOT did not review PTMS user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT informed us an oversight occurred due to employee turnover. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to PTMS. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over PTMS. Management Views MDOT agrees with the finding.
FINDING 2022-040 Formula Grants for Rural Areas and Tribal Transit Program, ALN 20.509, Subrecipient Monitoring - Subrecipient Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDOT did not ensure its review of subrecipient single audit* reports and issuance of management decisions were completed within six months of the Federal Audit Clearinghouse (FAC) acceptance date. MDOT's process is to begin its review of subrecipient single audits after all applicable audits are received. Therefore, it reviewed the 2020 and 2021 single audits in March 2022 and March and April 2023, respectively. We noted: a. For all 9 sampled 2020 single audits, MDOT's reviews were not timely and ranged between 72 and 229 days late. b. MDOT had not reviewed any of its subrecipient 2021 single audits as of September 30, 2022, which should have been reviewed between June 2022 and September 2022. In addition, MDOT did not issue management decision letters within six months of the FAC acceptance date for 3 subrecipient single audit reports. Each of these reports contained material weaknesses. Criteria Federal regulation 2 CFR 200.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 2 CFR 200.332(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 2 CFR 200.521 requires MDOT to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the FAC. Cause MDOT informed us an oversight occurred due to employee turnover and the need to update its procedures. Effect MDOT limited the State's assurance its subrecipients complied with grant requirements and implemented corrective action for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to MDOT's records. The federal grantor agency could issue sanctions or disallowance related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDOT ensure its review of subrecipient single audit reports and issuance of management decisions are completed within six months of the FAC acceptance date. Management Views MDOT agrees with the finding.
FINDING 2022-039 Formula Grants for Rural Areas and Tribal Transit Program, ALN 20.509, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Subrecipient Monitoring - PTMS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over Public Transportation Management System (PTMS) users. Program subrecipients utilize PTMS to submit applications, operating assistance reports, payment requests, and inventory, such as vehicles, equipment, and facilities and renovations. Also, MDOT program staff utilize PTMS to manage subgrants and review and approve subrecipient payment requests. We noted: a. MDOT did not ensure it properly approved access for 2 of 7 sampled PTMS user accounts. b. MDOT did not review PTMS user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT informed us an oversight occurred due to employee turnover. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to PTMS. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over PTMS. Management Views MDOT agrees with the finding.
FINDING 2022-040 Formula Grants for Rural Areas and Tribal Transit Program, ALN 20.509, Subrecipient Monitoring - Subrecipient Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDOT did not ensure its review of subrecipient single audit* reports and issuance of management decisions were completed within six months of the Federal Audit Clearinghouse (FAC) acceptance date. MDOT's process is to begin its review of subrecipient single audits after all applicable audits are received. Therefore, it reviewed the 2020 and 2021 single audits in March 2022 and March and April 2023, respectively. We noted: a. For all 9 sampled 2020 single audits, MDOT's reviews were not timely and ranged between 72 and 229 days late. b. MDOT had not reviewed any of its subrecipient 2021 single audits as of September 30, 2022, which should have been reviewed between June 2022 and September 2022. In addition, MDOT did not issue management decision letters within six months of the FAC acceptance date for 3 subrecipient single audit reports. Each of these reports contained material weaknesses. Criteria Federal regulation 2 CFR 200.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 2 CFR 200.332(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 2 CFR 200.521 requires MDOT to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the FAC. Cause MDOT informed us an oversight occurred due to employee turnover and the need to update its procedures. Effect MDOT limited the State's assurance its subrecipients complied with grant requirements and implemented corrective action for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to MDOT's records. The federal grantor agency could issue sanctions or disallowance related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDOT ensure its review of subrecipient single audit reports and issuance of management decisions are completed within six months of the FAC acceptance date. Management Views MDOT agrees with the finding.
FINDING 2022-001 Confidential Information in SIGMA* See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Military and Veterans Affairs (DMVA) and the Michigan Department of State Police (MSP) included user identification (ID) numbers, deemed confidential information by the Department of Technology, Management, and Budget (DTMB) policy, within document attachments when entering program expenditures in the Statewide Integrated Governmental Management Applications (SIGMA). Criteria Title 2, Part 200, section 303(e) of the Code of Federal Regulations* (CFR) requires the State to take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive or the State considers sensitive consistent with applicable federal, state, local, and tribal laws regarding privacy and obligations of confidentiality*. State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity*, and availability* of State of Michigan information. The policy also requires State agencies to identify and classify their information assets based on sensitivity, criticality, and risk. State of Michigan (SOM) Technical Standard 1340.00.150.02 provides a data classification framework, including examples of confidential and restricted data, to assist State agencies in protecting the confidentiality, integrity, and availability of their systems and information. DTMB Administrative Policy 900.01, last revised in November 2016, established a data classification framework for its information assets, which includes SIGMA. Also, the policy defines and provides examples of confidential data, such as user IDs. Cause SIGMA users were unaware of the DTMB policy identifying user ID as confidential information. When DTMB Administrative Policy 900.01 was originally drafted, user ID was included as an example since the data element could be considered confidential by an organization unit. Effect State employees without a business need had the ability to view confidential information in SIGMA. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend DMVA and MSP adhere to established DTMB policies for confidential information in SIGMA. Management Views DMVA and MSP disagree that confidential information was included in SIGMA. Follow-up with DTMB confirmed that user ID is not considered confidential data at the DTMB enterprise level. Auditor's Comments to Management Views* In June 2023, subsequent to our review, DTMB revised the DTMB Administrative Policy 900.01. These revisions do not negate that a significant deficiency existed in fiscal year 2022. Therefore, the finding stands as written.
FINDING 2022-002 SIGMA High-Risk Activity Monitoring See Schedule of Findings and Questioned Costs for chart/table. Condition DTMB did not sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. We noted DTMB did not perform the high-risk activity monitoring in a timely manner for all 6 sampled reports. DTMB provided evidence it reviewed the reports; however, on average, these reviews were completed 313 days after the reporting periods. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse. Cause DTMB informed us a lack of oversight prevented the timely review of high-risk activity reports, and it has since reassigned staff responsibilities accordingly. Effect Individuals may have made inappropriate bypass or override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists that DTMB did not identify inappropriate or high-risk activity associated with SIGMA transactions. Known Questioned Costs None. Recommendation We recommend DTMB sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. Management Views DTMB agrees with the finding.
FINDING 2022-011 MATT 2.0 Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan State Housing Development Authority (MSHDA) did not fully establish effective security management and access controls over the MSHDA Activity Tracking Tool (MATT) 2.0 users. Federal program subrecipients utilize MATT 2.0 to submit financial status reports and payment requests. Also, MSHDA program staff utilize MATT 2.0 to manage subgrants and review and approve subrecipient payment requests. We noted: a. MSHDA did not establish a process to review previously created active generic or test accounts not associated with a specific user. b. MSHDA did not review user access semiannually for privileged accounts or annually for all other accounts. c. MSHDA did not disable 2,973 (85%) of 3,503 MATT 2.0 user accounts that last logged in before fiscal year 2022. These users include 75 MSHDA employees, 5 other State employees, and 2,893 external partners. Also, 2,132 (72%) of these users had not logged in since access was granted. d. MSHDA did not maintain adequate documentation that a system access form was properly approved and documented prior to granting access for 1 (11%) of 9 sampled MATT 2.0 users. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to specify the authorized users for each account, accounts be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. Cause For parts a., b., and c., MSHDA informed us it is in the process of establishing controls over internal generic and test accounts and reviewing and disabling internal user accounts. Also, MSHDA believed its review should be limited to those users who do not use the portal. For part d., MSHDA informed us it is in the process of centralizing IT functions, and this is a training issue resulting because of a shift from a decentralized to a centralized IT approach. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MATT 2.0. As a result, an increased risk exists that MSHDA cannot ensure the security of the MATT 2.0 data used to issue payments to subrecipients of federal awards. Known Questioned Costs None. Recommendation We recommend MSHDA fully establish effective security management and access controls over MATT 2.0. Management Views MSHDA agrees with the finding.
FINDING 2022-012 MATT 2.0 Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MSHDA had not fully implemented its change management process over MATT 2.0 during fiscal year 2022. We sampled 17 MATT 2.0 change records and noted for 4 (24%) records, MSHDA did not document approvals prior to implementation of changes in the production environment. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the implementation in the production environment. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems by methods such as tracking and documenting system changes. Cause For 3 of the records, MSHDA informed us it followed its previous change management process prior to implementing a stricter change management process in November 2021, which includes requiring its electronically documented approval before any production changes can be made. For the remaining record, MSHDA was not able to provide documented support in accordance with its change management process effective November 2021. Effect Without a fully implemented change management process, individuals may make unauthorized or inappropriate changes to MATT 2.0. As a result, an increased risk exists that MSHDA cannot ensure MATT 2.0 is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MSHDA fully implement its change management process over MATT 2.0. Management Views MSHDA agrees with the finding.
FINDING 2022-011 MATT 2.0 Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan State Housing Development Authority (MSHDA) did not fully establish effective security management and access controls over the MSHDA Activity Tracking Tool (MATT) 2.0 users. Federal program subrecipients utilize MATT 2.0 to submit financial status reports and payment requests. Also, MSHDA program staff utilize MATT 2.0 to manage subgrants and review and approve subrecipient payment requests. We noted: a. MSHDA did not establish a process to review previously created active generic or test accounts not associated with a specific user. b. MSHDA did not review user access semiannually for privileged accounts or annually for all other accounts. c. MSHDA did not disable 2,973 (85%) of 3,503 MATT 2.0 user accounts that last logged in before fiscal year 2022. These users include 75 MSHDA employees, 5 other State employees, and 2,893 external partners. Also, 2,132 (72%) of these users had not logged in since access was granted. d. MSHDA did not maintain adequate documentation that a system access form was properly approved and documented prior to granting access for 1 (11%) of 9 sampled MATT 2.0 users. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to specify the authorized users for each account, accounts be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. Cause For parts a., b., and c., MSHDA informed us it is in the process of establishing controls over internal generic and test accounts and reviewing and disabling internal user accounts. Also, MSHDA believed its review should be limited to those users who do not use the portal. For part d., MSHDA informed us it is in the process of centralizing IT functions, and this is a training issue resulting because of a shift from a decentralized to a centralized IT approach. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MATT 2.0. As a result, an increased risk exists that MSHDA cannot ensure the security of the MATT 2.0 data used to issue payments to subrecipients of federal awards. Known Questioned Costs None. Recommendation We recommend MSHDA fully establish effective security management and access controls over MATT 2.0. Management Views MSHDA agrees with the finding.
FINDING 2022-012 MATT 2.0 Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MSHDA had not fully implemented its change management process over MATT 2.0 during fiscal year 2022. We sampled 17 MATT 2.0 change records and noted for 4 (24%) records, MSHDA did not document approvals prior to implementation of changes in the production environment. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the implementation in the production environment. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems by methods such as tracking and documenting system changes. Cause For 3 of the records, MSHDA informed us it followed its previous change management process prior to implementing a stricter change management process in November 2021, which includes requiring its electronically documented approval before any production changes can be made. For the remaining record, MSHDA was not able to provide documented support in accordance with its change management process effective November 2021. Effect Without a fully implemented change management process, individuals may make unauthorized or inappropriate changes to MATT 2.0. As a result, an increased risk exists that MSHDA cannot ensure MATT 2.0 is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MSHDA fully implement its change management process over MATT 2.0. Management Views MSHDA agrees with the finding.
FINDING 2022-041 Homeowner Assistance Fund, ALN 21.026, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Eligibility Determinations See Schedule of Findings and Questioned Costs for chart/table. Condition MSHDA did not obtain and maintain sufficient documentation to support the Homeowner Assistance Fund (HAF) applicants' eligibility was properly determined for 3 (12%) of 25 HAF assistance payments reviewed. We noted: a. For 1 (4%) applicant, sufficient documentation did not exist to support the applicant's eligibility. Contradictory information was provided by the applicant as to the hardship encountered from the COVID-19 pandemic. MSHDA did not detect this at the time of its review and, therefore, did not follow up with the applicant. b. For 1 (4%) applicant, MSHDA did not document the required income calculation to support the homeowner met the income eligibility requirement. We performed this calculation and determined the client was eligible for HAF assistance. c. For 1 (4%) applicant, MSHDA did not ensure its system checklist was completed prior to approving for eligibility. We determined this did not affect the applicant's eligibility. Criteria Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures that apply to both the federal award and other activities of the state. The HAF guidance requires homeowners to attest that they experienced financial hardship after January 21, 2020 associated with the coronavirus pandemic. A financial hardship is defined as a material reduction in income or a material increase in expenses. The attestation must describe the nature of the financial hardship. MSHDA's internal policy requires case managers to verify and calculate homeowner income during their determination of eligibility in the initial review of the application. Case managers must record their calculations within the activity log. Calculations are performed to determine annual income utilizing supporting documentation. In addition, case managers must use a system checklist to ensure all parts of the application have been reviewed prior to approving the homeowner's eligibility. Cause MSHDA informed us these errors resulted from employee oversight. Effect MSHDA may have provided assistance to ineligible applicants. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $9,129 - federal share. Recommendation We recommend MSHDA obtain and maintain sufficient documentation to support the HAF applicants' eligibility is properly determined. Management Views MSHDA agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-043 Aging Cluster, ALN 93.044, 93.045, and 93.053, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - AIS FIRST User Access See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully establish effective user access controls over Aging Information System (AIS) Financial Information Reporting System Technology (FIRST). AIS FIRST is utilized by Aging Cluster subrecipients to submit data, payment requests, and financial status reports to MDHHS. We noted MDHHS did not properly approve 3 of the 4 sampled users' application security agreements prior to granting access to AIS FIRST. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring that users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause MDHHS informed us that due to limited staff resources, the application security agreements did not contain a final approving signature. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to AIS FIRST. Known Questioned Costs None. Recommendation We recommend MDHHS fully establish effective user access controls over AIS FIRST. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-043 Aging Cluster, ALN 93.044, 93.045, and 93.053, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - AIS FIRST User Access See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully establish effective user access controls over Aging Information System (AIS) Financial Information Reporting System Technology (FIRST). AIS FIRST is utilized by Aging Cluster subrecipients to submit data, payment requests, and financial status reports to MDHHS. We noted MDHHS did not properly approve 3 of the 4 sampled users' application security agreements prior to granting access to AIS FIRST. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring that users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause MDHHS informed us that due to limited staff resources, the application security agreements did not contain a final approving signature. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to AIS FIRST. Known Questioned Costs None. Recommendation We recommend MDHHS fully establish effective user access controls over AIS FIRST. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-043 Aging Cluster, ALN 93.044, 93.045, and 93.053, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - AIS FIRST User Access See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully establish effective user access controls over Aging Information System (AIS) Financial Information Reporting System Technology (FIRST). AIS FIRST is utilized by Aging Cluster subrecipients to submit data, payment requests, and financial status reports to MDHHS. We noted MDHHS did not properly approve 3 of the 4 sampled users' application security agreements prior to granting access to AIS FIRST. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring that users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause MDHHS informed us that due to limited staff resources, the application security agreements did not contain a final approving signature. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to AIS FIRST. Known Questioned Costs None. Recommendation We recommend MDHHS fully establish effective user access controls over AIS FIRST. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-043 Aging Cluster, ALN 93.044, 93.045, and 93.053, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - AIS FIRST User Access See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully establish effective user access controls over Aging Information System (AIS) Financial Information Reporting System Technology (FIRST). AIS FIRST is utilized by Aging Cluster subrecipients to submit data, payment requests, and financial status reports to MDHHS. We noted MDHHS did not properly approve 3 of the 4 sampled users' application security agreements prior to granting access to AIS FIRST. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring that users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause MDHHS informed us that due to limited staff resources, the application security agreements did not contain a final approving signature. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to AIS FIRST. Known Questioned Costs None. Recommendation We recommend MDHHS fully establish effective user access controls over AIS FIRST. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-043 Aging Cluster, ALN 93.044, 93.045, and 93.053, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - AIS FIRST User Access See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully establish effective user access controls over Aging Information System (AIS) Financial Information Reporting System Technology (FIRST). AIS FIRST is utilized by Aging Cluster subrecipients to submit data, payment requests, and financial status reports to MDHHS. We noted MDHHS did not properly approve 3 of the 4 sampled users' application security agreements prior to granting access to AIS FIRST. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring that users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause MDHHS informed us that due to limited staff resources, the application security agreements did not contain a final approving signature. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to AIS FIRST. Known Questioned Costs None. Recommendation We recommend MDHHS fully establish effective user access controls over AIS FIRST. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-044 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 6 (15%) of the 40 cases we reviewed. Our review disclosed: a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 3 (8%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services. b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 2 (5%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits. c. MDHHS did not maintain sufficient documentation to support the client's eligibility determination for 1 (3%) of 40 cases reviewed. We noted incomplete supporting documentation related to the client's categorical eligibility. Criteria Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider. Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan. Cause MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in the client's case record to support eligibility. Effect We consider this to be a material weakness and material noncompliance because MDE may have made payments on behalf of ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,688 - federal share. ? $707 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend that MDE and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements. Management Views MDHHS and MDE agree with the finding.
FINDING 2022-045 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Child Care Stabilization Grants See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not maintain documentation of its efforts to verify child care stabilization grant applications. For 3 (7%) of the 45 applications reviewed, MDE did not document and follow up differences between Bridges child eligibility data and the number of subsidy eligible children on the provider's application. MDE calculated provider grant amounts based on the number of children on the grant application which did not always agree with subsidy eligible children reported in Bridges, resulting in potential underpayments to the providers. Criteria The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers. Providers were required to complete separate online applications to receive child care stabilization grants in fall 2021, spring 2022, and summer 2022. MDE's written procedures required its administrative reviewer to edit the number of subsidy children on the application to match Bridges query data. Cause MDE informed us that because of an oversight, documentation was not maintained to support that it used the correct number of subsidy-eligible children when calculating a provider's grant amount. Effect MDE may have made inaccurate child care stabilization grant payments to child care providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE maintain documentation to support that it appropriately verifies child care stabilization grant applications. Management Views MDE agrees with the finding.
FINDING 2022-046 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements See Schedule of Findings and Questioned Costs for chart/table. Background In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2022, LARA was responsible for performing onsite inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period. Condition MDE and LARA did not perform timely inspections and maintain sufficient documentation to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 51 sampled licensed providers for the CCDF Cluster payments disclosed: a. LARA did not ensure timely annual on-site inspections for 7 (14%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection. b. LARA did not maintain documentation to support 1 renewal inspection. c. LARA did not maintain documentation to support it granted an extension when the license period had expired for 1 provider with a license renewed during fiscal year 2022. Criteria Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect under State, local, or tribal law requirements designed, implemented, and enforced to protect the health and safety of children and provides the minimum health and safety topics that must include training on and be applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards. Federal regulation 45 CFR 98.44 requires MDE to identify in its CCDF State Plan established requirements for pre-service or orientation training in the established health and safety standards and for ongoing professional development that maintains and updates the health and safety standards described in federal regulation 45 CFR 98.41. Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards. Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations. Cause LARA informed us limited resources impacted the timeliness of some inspections and the missing documentation was an oversight. Effect Child care providers may not have complied with all applicable health and safety requirements to receive CCDF Cluster funds resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $245 - federal share. ? $103 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend MDE and LARA perform timely inspections and maintain sufficient documentation to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments. Management Views MDE and LARA agree with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-044 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 6 (15%) of the 40 cases we reviewed. Our review disclosed: a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 3 (8%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services. b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 2 (5%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits. c. MDHHS did not maintain sufficient documentation to support the client's eligibility determination for 1 (3%) of 40 cases reviewed. We noted incomplete supporting documentation related to the client's categorical eligibility. Criteria Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider. Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan. Cause MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in the client's case record to support eligibility. Effect We consider this to be a material weakness and material noncompliance because MDE may have made payments on behalf of ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,688 - federal share. ? $707 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend that MDE and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements. Management Views MDHHS and MDE agree with the finding.
FINDING 2022-045 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Child Care Stabilization Grants See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not maintain documentation of its efforts to verify child care stabilization grant applications. For 3 (7%) of the 45 applications reviewed, MDE did not document and follow up differences between Bridges child eligibility data and the number of subsidy eligible children on the provider's application. MDE calculated provider grant amounts based on the number of children on the grant application which did not always agree with subsidy eligible children reported in Bridges, resulting in potential underpayments to the providers. Criteria The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers. Providers were required to complete separate online applications to receive child care stabilization grants in fall 2021, spring 2022, and summer 2022. MDE's written procedures required its administrative reviewer to edit the number of subsidy children on the application to match Bridges query data. Cause MDE informed us that because of an oversight, documentation was not maintained to support that it used the correct number of subsidy-eligible children when calculating a provider's grant amount. Effect MDE may have made inaccurate child care stabilization grant payments to child care providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE maintain documentation to support that it appropriately verifies child care stabilization grant applications. Management Views MDE agrees with the finding.
FINDING 2022-046 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements See Schedule of Findings and Questioned Costs for chart/table. Background In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2022, LARA was responsible for performing onsite inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period. Condition MDE and LARA did not perform timely inspections and maintain sufficient documentation to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 51 sampled licensed providers for the CCDF Cluster payments disclosed: a. LARA did not ensure timely annual on-site inspections for 7 (14%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection. b. LARA did not maintain documentation to support 1 renewal inspection. c. LARA did not maintain documentation to support it granted an extension when the license period had expired for 1 provider with a license renewed during fiscal year 2022. Criteria Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect under State, local, or tribal law requirements designed, implemented, and enforced to protect the health and safety of children and provides the minimum health and safety topics that must include training on and be applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards. Federal regulation 45 CFR 98.44 requires MDE to identify in its CCDF State Plan established requirements for pre-service or orientation training in the established health and safety standards and for ongoing professional development that maintains and updates the health and safety standards described in federal regulation 45 CFR 98.41. Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards. Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations. Cause LARA informed us limited resources impacted the timeliness of some inspections and the missing documentation was an oversight. Effect Child care providers may not have complied with all applicable health and safety requirements to receive CCDF Cluster funds resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $245 - federal share. ? $103 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend MDE and LARA perform timely inspections and maintain sufficient documentation to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments. Management Views MDE and LARA agree with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-044 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 6 (15%) of the 40 cases we reviewed. Our review disclosed: a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 3 (8%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services. b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 2 (5%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits. c. MDHHS did not maintain sufficient documentation to support the client's eligibility determination for 1 (3%) of 40 cases reviewed. We noted incomplete supporting documentation related to the client's categorical eligibility. Criteria Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider. Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan. Cause MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in the client's case record to support eligibility. Effect We consider this to be a material weakness and material noncompliance because MDE may have made payments on behalf of ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,688 - federal share. ? $707 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend that MDE and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements. Management Views MDHHS and MDE agree with the finding.
FINDING 2022-045 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Child Care Stabilization Grants See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not maintain documentation of its efforts to verify child care stabilization grant applications. For 3 (7%) of the 45 applications reviewed, MDE did not document and follow up differences between Bridges child eligibility data and the number of subsidy eligible children on the provider's application. MDE calculated provider grant amounts based on the number of children on the grant application which did not always agree with subsidy eligible children reported in Bridges, resulting in potential underpayments to the providers. Criteria The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers. Providers were required to complete separate online applications to receive child care stabilization grants in fall 2021, spring 2022, and summer 2022. MDE's written procedures required its administrative reviewer to edit the number of subsidy children on the application to match Bridges query data. Cause MDE informed us that because of an oversight, documentation was not maintained to support that it used the correct number of subsidy-eligible children when calculating a provider's grant amount. Effect MDE may have made inaccurate child care stabilization grant payments to child care providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE maintain documentation to support that it appropriately verifies child care stabilization grant applications. Management Views MDE agrees with the finding.
FINDING 2022-046 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements See Schedule of Findings and Questioned Costs for chart/table. Background In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2022, LARA was responsible for performing onsite inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period. Condition MDE and LARA did not perform timely inspections and maintain sufficient documentation to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 51 sampled licensed providers for the CCDF Cluster payments disclosed: a. LARA did not ensure timely annual on-site inspections for 7 (14%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection. b. LARA did not maintain documentation to support 1 renewal inspection. c. LARA did not maintain documentation to support it granted an extension when the license period had expired for 1 provider with a license renewed during fiscal year 2022. Criteria Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect under State, local, or tribal law requirements designed, implemented, and enforced to protect the health and safety of children and provides the minimum health and safety topics that must include training on and be applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards. Federal regulation 45 CFR 98.44 requires MDE to identify in its CCDF State Plan established requirements for pre-service or orientation training in the established health and safety standards and for ongoing professional development that maintains and updates the health and safety standards described in federal regulation 45 CFR 98.41. Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards. Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations. Cause LARA informed us limited resources impacted the timeliness of some inspections and the missing documentation was an oversight. Effect Child care providers may not have complied with all applicable health and safety requirements to receive CCDF Cluster funds resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $245 - federal share. ? $103 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend MDE and LARA perform timely inspections and maintain sufficient documentation to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments. Management Views MDE and LARA agree with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-044 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 6 (15%) of the 40 cases we reviewed. Our review disclosed: a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 3 (8%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services. b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 2 (5%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits. c. MDHHS did not maintain sufficient documentation to support the client's eligibility determination for 1 (3%) of 40 cases reviewed. We noted incomplete supporting documentation related to the client's categorical eligibility. Criteria Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider. Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan. Cause MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in the client's case record to support eligibility. Effect We consider this to be a material weakness and material noncompliance because MDE may have made payments on behalf of ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,688 - federal share. ? $707 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend that MDE and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements. Management Views MDHHS and MDE agree with the finding.
FINDING 2022-045 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Child Care Stabilization Grants See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not maintain documentation of its efforts to verify child care stabilization grant applications. For 3 (7%) of the 45 applications reviewed, MDE did not document and follow up differences between Bridges child eligibility data and the number of subsidy eligible children on the provider's application. MDE calculated provider grant amounts based on the number of children on the grant application which did not always agree with subsidy eligible children reported in Bridges, resulting in potential underpayments to the providers. Criteria The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers. Providers were required to complete separate online applications to receive child care stabilization grants in fall 2021, spring 2022, and summer 2022. MDE's written procedures required its administrative reviewer to edit the number of subsidy children on the application to match Bridges query data. Cause MDE informed us that because of an oversight, documentation was not maintained to support that it used the correct number of subsidy-eligible children when calculating a provider's grant amount. Effect MDE may have made inaccurate child care stabilization grant payments to child care providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE maintain documentation to support that it appropriately verifies child care stabilization grant applications. Management Views MDE agrees with the finding.
FINDING 2022-046 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements See Schedule of Findings and Questioned Costs for chart/table. Background In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2022, LARA was responsible for performing onsite inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period. Condition MDE and LARA did not perform timely inspections and maintain sufficient documentation to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 51 sampled licensed providers for the CCDF Cluster payments disclosed: a. LARA did not ensure timely annual on-site inspections for 7 (14%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection. b. LARA did not maintain documentation to support 1 renewal inspection. c. LARA did not maintain documentation to support it granted an extension when the license period had expired for 1 provider with a license renewed during fiscal year 2022. Criteria Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect under State, local, or tribal law requirements designed, implemented, and enforced to protect the health and safety of children and provides the minimum health and safety topics that must include training on and be applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards. Federal regulation 45 CFR 98.44 requires MDE to identify in its CCDF State Plan established requirements for pre-service or orientation training in the established health and safety standards and for ongoing professional development that maintains and updates the health and safety standards described in federal regulation 45 CFR 98.41. Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards. Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations. Cause LARA informed us limited resources impacted the timeliness of some inspections and the missing documentation was an oversight. Effect Child care providers may not have complied with all applicable health and safety requirements to receive CCDF Cluster funds resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $245 - federal share. ? $103 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend MDE and LARA perform timely inspections and maintain sufficient documentation to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments. Management Views MDE and LARA agree with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-044 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 6 (15%) of the 40 cases we reviewed. Our review disclosed: a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 3 (8%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services. b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 2 (5%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits. c. MDHHS did not maintain sufficient documentation to support the client's eligibility determination for 1 (3%) of 40 cases reviewed. We noted incomplete supporting documentation related to the client's categorical eligibility. Criteria Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider. Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan. Cause MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in the client's case record to support eligibility. Effect We consider this to be a material weakness and material noncompliance because MDE may have made payments on behalf of ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,688 - federal share. ? $707 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend that MDE and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements. Management Views MDHHS and MDE agree with the finding.
FINDING 2022-045 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Child Care Stabilization Grants See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not maintain documentation of its efforts to verify child care stabilization grant applications. For 3 (7%) of the 45 applications reviewed, MDE did not document and follow up differences between Bridges child eligibility data and the number of subsidy eligible children on the provider's application. MDE calculated provider grant amounts based on the number of children on the grant application which did not always agree with subsidy eligible children reported in Bridges, resulting in potential underpayments to the providers. Criteria The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers. Providers were required to complete separate online applications to receive child care stabilization grants in fall 2021, spring 2022, and summer 2022. MDE's written procedures required its administrative reviewer to edit the number of subsidy children on the application to match Bridges query data. Cause MDE informed us that because of an oversight, documentation was not maintained to support that it used the correct number of subsidy-eligible children when calculating a provider's grant amount. Effect MDE may have made inaccurate child care stabilization grant payments to child care providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE maintain documentation to support that it appropriately verifies child care stabilization grant applications. Management Views MDE agrees with the finding.
FINDING 2022-046 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements See Schedule of Findings and Questioned Costs for chart/table. Background In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2022, LARA was responsible for performing onsite inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period. Condition MDE and LARA did not perform timely inspections and maintain sufficient documentation to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 51 sampled licensed providers for the CCDF Cluster payments disclosed: a. LARA did not ensure timely annual on-site inspections for 7 (14%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection. b. LARA did not maintain documentation to support 1 renewal inspection. c. LARA did not maintain documentation to support it granted an extension when the license period had expired for 1 provider with a license renewed during fiscal year 2022. Criteria Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect under State, local, or tribal law requirements designed, implemented, and enforced to protect the health and safety of children and provides the minimum health and safety topics that must include training on and be applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards. Federal regulation 45 CFR 98.44 requires MDE to identify in its CCDF State Plan established requirements for pre-service or orientation training in the established health and safety standards and for ongoing professional development that maintains and updates the health and safety standards described in federal regulation 45 CFR 98.41. Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards. Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations. Cause LARA informed us limited resources impacted the timeliness of some inspections and the missing documentation was an oversight. Effect Child care providers may not have complied with all applicable health and safety requirements to receive CCDF Cluster funds resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $245 - federal share. ? $103 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend MDE and LARA perform timely inspections and maintain sufficient documentation to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments. Management Views MDE and LARA agree with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-047 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $5,774 for 15 (50%) of 30 payments sampled from a $1,390,653 population of beneficiary payments with no corresponding Medicaid coverage. Criteria Federal regulation 42 CFR 435.1002(b) indicates that federal funding is available only for services provided to eligible beneficiaries. Cause MDHHS informed us because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility. Effect MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs exceed $25,000. ? $5,103 - federal share of payments made to providers on behalf of ineligible beneficiaries. ? $671 - State share of payments made to providers on behalf of ineligible beneficiaries. Recommendation We recommend that MDHHS ensure that beneficiary eligibility is updated in CHAMPS. Management Views MDHHS agrees with the finding.
FINDING 2022-048 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not prevent or timely recover payments, totaling $324, for 2 (25%) of 8 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 135 allows payment for HHP services on the day a client is discharged from the hospital. Cause MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, the monthly hospitalization reports are not capturing all facility stays for home help clients. Effect MDHHS paid a total of $324 from October 1, 2021 through September 30, 2022 for sampled clients who did not qualify for the HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $232 - federal share of amounts paid for HHP services while sampled clients were hospitalized. ? $92 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-049 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Home Help Payment Oversight See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not review home help provider invoices for 4 (27%) of 15 sampled payments to individual providers, totaling $485, to help ensure home help payments were reflective of the services provided. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 requires individual providers to submit monthly invoices for reimbursement. Cause Although the Electronic Service Verifications (ESV) and Paper Service Verifications (PSV) collect information on completed services, prior to April 1, 2022 there was no automated review of the ESV information and there continues to be no automated review of the PSV information to determine if all services were provided before payment was issued. Effect MDHHS paid a total of $485 for services from October 1, 2021 through September 30, 2022 that were not supported by home help provider invoices for the sampled payments. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $348 - federal share. ? $137 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS review home help provider invoices to help ensure home help payments are reflective of the services provided. Management Views MDHHS agrees with the finding.
FINDING 2022-050 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $95,211 for 2,154 FFS claims for beneficiaries simultaneously enrolled in an MHP. Criteria According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award. Cause MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us that the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. Effect MDHHS made improper FFS practitioner payments of $95,211 from October 1, 2021 through September 30, 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $71,324 - federal share of improper payments made to providers from October 1, 2021 through September 30, 2022. ? $23,887 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend that MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster. Management Views MDHHS agrees with the finding.
FINDING 2022-051 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Special Tests and Provisions - MARIS General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security management over the Medicaid Audit Recovery and Investigation System (MARIS) database. MDHHS staff use MARIS to track and investigate complaints alleging Medicaid fraud, waste, and abuse. The MARIS database management system contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MARIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MARIS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security management over the MARIS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-047 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $5,774 for 15 (50%) of 30 payments sampled from a $1,390,653 population of beneficiary payments with no corresponding Medicaid coverage. Criteria Federal regulation 42 CFR 435.1002(b) indicates that federal funding is available only for services provided to eligible beneficiaries. Cause MDHHS informed us because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility. Effect MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs exceed $25,000. ? $5,103 - federal share of payments made to providers on behalf of ineligible beneficiaries. ? $671 - State share of payments made to providers on behalf of ineligible beneficiaries. Recommendation We recommend that MDHHS ensure that beneficiary eligibility is updated in CHAMPS. Management Views MDHHS agrees with the finding.
FINDING 2022-048 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not prevent or timely recover payments, totaling $324, for 2 (25%) of 8 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 135 allows payment for HHP services on the day a client is discharged from the hospital. Cause MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, the monthly hospitalization reports are not capturing all facility stays for home help clients. Effect MDHHS paid a total of $324 from October 1, 2021 through September 30, 2022 for sampled clients who did not qualify for the HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $232 - federal share of amounts paid for HHP services while sampled clients were hospitalized. ? $92 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-049 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Home Help Payment Oversight See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not review home help provider invoices for 4 (27%) of 15 sampled payments to individual providers, totaling $485, to help ensure home help payments were reflective of the services provided. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 requires individual providers to submit monthly invoices for reimbursement. Cause Although the Electronic Service Verifications (ESV) and Paper Service Verifications (PSV) collect information on completed services, prior to April 1, 2022 there was no automated review of the ESV information and there continues to be no automated review of the PSV information to determine if all services were provided before payment was issued. Effect MDHHS paid a total of $485 for services from October 1, 2021 through September 30, 2022 that were not supported by home help provider invoices for the sampled payments. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $348 - federal share. ? $137 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS review home help provider invoices to help ensure home help payments are reflective of the services provided. Management Views MDHHS agrees with the finding.
FINDING 2022-050 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $95,211 for 2,154 FFS claims for beneficiaries simultaneously enrolled in an MHP. Criteria According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award. Cause MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us that the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. Effect MDHHS made improper FFS practitioner payments of $95,211 from October 1, 2021 through September 30, 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $71,324 - federal share of improper payments made to providers from October 1, 2021 through September 30, 2022. ? $23,887 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend that MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster. Management Views MDHHS agrees with the finding.
FINDING 2022-051 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Special Tests and Provisions - MARIS General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security management over the Medicaid Audit Recovery and Investigation System (MARIS) database. MDHHS staff use MARIS to track and investigate complaints alleging Medicaid fraud, waste, and abuse. The MARIS database management system contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MARIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MARIS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security management over the MARIS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-047 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $5,774 for 15 (50%) of 30 payments sampled from a $1,390,653 population of beneficiary payments with no corresponding Medicaid coverage. Criteria Federal regulation 42 CFR 435.1002(b) indicates that federal funding is available only for services provided to eligible beneficiaries. Cause MDHHS informed us because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility. Effect MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs exceed $25,000. ? $5,103 - federal share of payments made to providers on behalf of ineligible beneficiaries. ? $671 - State share of payments made to providers on behalf of ineligible beneficiaries. Recommendation We recommend that MDHHS ensure that beneficiary eligibility is updated in CHAMPS. Management Views MDHHS agrees with the finding.
FINDING 2022-048 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not prevent or timely recover payments, totaling $324, for 2 (25%) of 8 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 135 allows payment for HHP services on the day a client is discharged from the hospital. Cause MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, the monthly hospitalization reports are not capturing all facility stays for home help clients. Effect MDHHS paid a total of $324 from October 1, 2021 through September 30, 2022 for sampled clients who did not qualify for the HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $232 - federal share of amounts paid for HHP services while sampled clients were hospitalized. ? $92 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-049 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Home Help Payment Oversight See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not review home help provider invoices for 4 (27%) of 15 sampled payments to individual providers, totaling $485, to help ensure home help payments were reflective of the services provided. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 requires individual providers to submit monthly invoices for reimbursement. Cause Although the Electronic Service Verifications (ESV) and Paper Service Verifications (PSV) collect information on completed services, prior to April 1, 2022 there was no automated review of the ESV information and there continues to be no automated review of the PSV information to determine if all services were provided before payment was issued. Effect MDHHS paid a total of $485 for services from October 1, 2021 through September 30, 2022 that were not supported by home help provider invoices for the sampled payments. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $348 - federal share. ? $137 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS review home help provider invoices to help ensure home help payments are reflective of the services provided. Management Views MDHHS agrees with the finding.
FINDING 2022-050 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $95,211 for 2,154 FFS claims for beneficiaries simultaneously enrolled in an MHP. Criteria According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award. Cause MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us that the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. Effect MDHHS made improper FFS practitioner payments of $95,211 from October 1, 2021 through September 30, 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $71,324 - federal share of improper payments made to providers from October 1, 2021 through September 30, 2022. ? $23,887 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend that MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster. Management Views MDHHS agrees with the finding.
FINDING 2022-051 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Special Tests and Provisions - MARIS General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security management over the Medicaid Audit Recovery and Investigation System (MARIS) database. MDHHS staff use MARIS to track and investigate complaints alleging Medicaid fraud, waste, and abuse. The MARIS database management system contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MARIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MARIS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security management over the MARIS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-047 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $5,774 for 15 (50%) of 30 payments sampled from a $1,390,653 population of beneficiary payments with no corresponding Medicaid coverage. Criteria Federal regulation 42 CFR 435.1002(b) indicates that federal funding is available only for services provided to eligible beneficiaries. Cause MDHHS informed us because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility. Effect MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs exceed $25,000. ? $5,103 - federal share of payments made to providers on behalf of ineligible beneficiaries. ? $671 - State share of payments made to providers on behalf of ineligible beneficiaries. Recommendation We recommend that MDHHS ensure that beneficiary eligibility is updated in CHAMPS. Management Views MDHHS agrees with the finding.
FINDING 2022-048 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not prevent or timely recover payments, totaling $324, for 2 (25%) of 8 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 135 allows payment for HHP services on the day a client is discharged from the hospital. Cause MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, the monthly hospitalization reports are not capturing all facility stays for home help clients. Effect MDHHS paid a total of $324 from October 1, 2021 through September 30, 2022 for sampled clients who did not qualify for the HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $232 - federal share of amounts paid for HHP services while sampled clients were hospitalized. ? $92 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-049 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Home Help Payment Oversight See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not review home help provider invoices for 4 (27%) of 15 sampled payments to individual providers, totaling $485, to help ensure home help payments were reflective of the services provided. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 requires individual providers to submit monthly invoices for reimbursement. Cause Although the Electronic Service Verifications (ESV) and Paper Service Verifications (PSV) collect information on completed services, prior to April 1, 2022 there was no automated review of the ESV information and there continues to be no automated review of the PSV information to determine if all services were provided before payment was issued. Effect MDHHS paid a total of $485 for services from October 1, 2021 through September 30, 2022 that were not supported by home help provider invoices for the sampled payments. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $348 - federal share. ? $137 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS review home help provider invoices to help ensure home help payments are reflective of the services provided. Management Views MDHHS agrees with the finding.
FINDING 2022-050 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $95,211 for 2,154 FFS claims for beneficiaries simultaneously enrolled in an MHP. Criteria According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award. Cause MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us that the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. Effect MDHHS made improper FFS practitioner payments of $95,211 from October 1, 2021 through September 30, 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $71,324 - federal share of improper payments made to providers from October 1, 2021 through September 30, 2022. ? $23,887 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend that MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster. Management Views MDHHS agrees with the finding.
FINDING 2022-051 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Special Tests and Provisions - MARIS General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security management over the Medicaid Audit Recovery and Investigation System (MARIS) database. MDHHS staff use MARIS to track and investigate complaints alleging Medicaid fraud, waste, and abuse. The MARIS database management system contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MARIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MARIS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security management over the MARIS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-052 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Michigan Care Improvement Registry (MCIR) database. MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children (VFC) program. The MCIR database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MCIR. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MCIR and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the MCIR database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-053 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure compliance site visits for providers enrolled in the VFC program were conducted in accordance with federal guidelines. We noted: a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 16 (40%) of 40 sampled providers. For the 16 providers, the compliance visits were late between 1.8 months and 1.5 years, averaging 9.2 months. b. MDHHS did not conduct a compliance site visit at least once every 24 months for 12 (30%) of 40 sampled providers. For the 12 providers, the compliance visits were not complete as of September 30, 2022 and were overdue between 9.2 months and 3.9 years, averaging 1.5 years. c. MDHHS did not conduct site visits for over 70% of VFC providers during fiscal year 2022, instead MDHHS completed site visits for only 43% of providers. Criteria Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2021 and July 2022 Operations Guides state awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months. In addition, the CDC's approval of MDHHS's monitoring program includes conducting annual site visits to over 70% of VFC provider clinic sites each year. Because of the COVID-19 pandemic, the CDC provided separate guidance noting hybrid (virtual plus in person) compliance site visits could be conducted to reduce the amount of time reviewers needed to spend physically on site at the provider and in August 2020 permitted, for a limited time, virtual only site visits as an alternative to in-person or hybrid site visits. The CDC also issued frequently asked questions providing clarification for the virtual and hybrid options. These frequently asked questions encouraged awardees to resume traditional in-person site visits as soon as local pandemic conditions and travel restrictions allow. Cause MDHHS resumed conducting regular site visits for a limited number of providers during fiscal year 2022. Also, MDHHS informed us it did not conduct provider compliance site visits for all providers because the CDC allowed jurisdictions to temporarily suspend site visits during the COVID-19 pandemic; however, the CDC did not update its Operations Guide to allow for a temporary suspension of the required site visits and COVID-19 guidance indicates awardees should still attempt to schedule virtual site visits with VFC providers. Effect We consider this to be a material weakness and material noncompliance because MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes and because of the high error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted. Management Views MDHHS disagrees with the finding. Site visits were not conducted for all Vaccines for Children providers during the review period because the Centers for Disease Control and Prevention (CDC) allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic. MDHHS reached out to the CDC for clarification on conducting site visits and was informed that site visit activities may be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. Information supporting this decision was provided to the audit team. Auditor's Comments to Management Views While the CDC communicated that a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to complete these required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance. Therefore, the finding stands as written.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-052 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Michigan Care Improvement Registry (MCIR) database. MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children (VFC) program. The MCIR database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MCIR. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MCIR and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the MCIR database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-053 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure compliance site visits for providers enrolled in the VFC program were conducted in accordance with federal guidelines. We noted: a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 16 (40%) of 40 sampled providers. For the 16 providers, the compliance visits were late between 1.8 months and 1.5 years, averaging 9.2 months. b. MDHHS did not conduct a compliance site visit at least once every 24 months for 12 (30%) of 40 sampled providers. For the 12 providers, the compliance visits were not complete as of September 30, 2022 and were overdue between 9.2 months and 3.9 years, averaging 1.5 years. c. MDHHS did not conduct site visits for over 70% of VFC providers during fiscal year 2022, instead MDHHS completed site visits for only 43% of providers. Criteria Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2021 and July 2022 Operations Guides state awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months. In addition, the CDC's approval of MDHHS's monitoring program includes conducting annual site visits to over 70% of VFC provider clinic sites each year. Because of the COVID-19 pandemic, the CDC provided separate guidance noting hybrid (virtual plus in person) compliance site visits could be conducted to reduce the amount of time reviewers needed to spend physically on site at the provider and in August 2020 permitted, for a limited time, virtual only site visits as an alternative to in-person or hybrid site visits. The CDC also issued frequently asked questions providing clarification for the virtual and hybrid options. These frequently asked questions encouraged awardees to resume traditional in-person site visits as soon as local pandemic conditions and travel restrictions allow. Cause MDHHS resumed conducting regular site visits for a limited number of providers during fiscal year 2022. Also, MDHHS informed us it did not conduct provider compliance site visits for all providers because the CDC allowed jurisdictions to temporarily suspend site visits during the COVID-19 pandemic; however, the CDC did not update its Operations Guide to allow for a temporary suspension of the required site visits and COVID-19 guidance indicates awardees should still attempt to schedule virtual site visits with VFC providers. Effect We consider this to be a material weakness and material noncompliance because MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes and because of the high error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted. Management Views MDHHS disagrees with the finding. Site visits were not conducted for all Vaccines for Children providers during the review period because the Centers for Disease Control and Prevention (CDC) allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic. MDHHS reached out to the CDC for clarification on conducting site visits and was informed that site visit activities may be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. Information supporting this decision was provided to the audit team. Auditor's Comments to Management Views While the CDC communicated that a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to complete these required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance. Therefore, the finding stands as written.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-052 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Michigan Care Improvement Registry (MCIR) database. MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children (VFC) program. The MCIR database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MCIR. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MCIR and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the MCIR database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-053 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure compliance site visits for providers enrolled in the VFC program were conducted in accordance with federal guidelines. We noted: a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 16 (40%) of 40 sampled providers. For the 16 providers, the compliance visits were late between 1.8 months and 1.5 years, averaging 9.2 months. b. MDHHS did not conduct a compliance site visit at least once every 24 months for 12 (30%) of 40 sampled providers. For the 12 providers, the compliance visits were not complete as of September 30, 2022 and were overdue between 9.2 months and 3.9 years, averaging 1.5 years. c. MDHHS did not conduct site visits for over 70% of VFC providers during fiscal year 2022, instead MDHHS completed site visits for only 43% of providers. Criteria Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2021 and July 2022 Operations Guides state awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months. In addition, the CDC's approval of MDHHS's monitoring program includes conducting annual site visits to over 70% of VFC provider clinic sites each year. Because of the COVID-19 pandemic, the CDC provided separate guidance noting hybrid (virtual plus in person) compliance site visits could be conducted to reduce the amount of time reviewers needed to spend physically on site at the provider and in August 2020 permitted, for a limited time, virtual only site visits as an alternative to in-person or hybrid site visits. The CDC also issued frequently asked questions providing clarification for the virtual and hybrid options. These frequently asked questions encouraged awardees to resume traditional in-person site visits as soon as local pandemic conditions and travel restrictions allow. Cause MDHHS resumed conducting regular site visits for a limited number of providers during fiscal year 2022. Also, MDHHS informed us it did not conduct provider compliance site visits for all providers because the CDC allowed jurisdictions to temporarily suspend site visits during the COVID-19 pandemic; however, the CDC did not update its Operations Guide to allow for a temporary suspension of the required site visits and COVID-19 guidance indicates awardees should still attempt to schedule virtual site visits with VFC providers. Effect We consider this to be a material weakness and material noncompliance because MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes and because of the high error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted. Management Views MDHHS disagrees with the finding. Site visits were not conducted for all Vaccines for Children providers during the review period because the Centers for Disease Control and Prevention (CDC) allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic. MDHHS reached out to the CDC for clarification on conducting site visits and was informed that site visit activities may be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. Information supporting this decision was provided to the audit team. Auditor's Comments to Management Views While the CDC communicated that a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to complete these required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance. Therefore, the finding stands as written.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-026 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC), ALN 93.323 and Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036 - Long-Term Care (LTC) Facility COVID-19 Testing Reimbursements See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation to demonstrate a process was in place to ensure long-term care (LTC) facility COVID-19 testing reimbursement requests, totaling $48.5 million ($46.4 million Disaster Grants - Public Assistance (Presidentially Declared Disasters) and $2.1 million ELC), were reasonable and appropriate. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over the federal award that provides reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulations 2 CFR 200 and 5 CFR 75 require costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause MDHHS believed its process was sufficient to ensure requests were reasonable and appropriate. However, the documentation provided did not substantiate the procedures completed. Effect MDHHS could not demonstrate the costs complied with the applicable federal regulations ensuring reasonableness of the amounts requested. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS maintain sufficient documentation to demonstrate its process to ensure LTC facility COVID-19 testing reimbursement requests are reasonable and appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-026 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC), ALN 93.323 and Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036 - Long-Term Care (LTC) Facility COVID-19 Testing Reimbursements See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation to demonstrate a process was in place to ensure long-term care (LTC) facility COVID-19 testing reimbursement requests, totaling $48.5 million ($46.4 million Disaster Grants - Public Assistance (Presidentially Declared Disasters) and $2.1 million ELC), were reasonable and appropriate. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over the federal award that provides reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulations 2 CFR 200 and 5 CFR 75 require costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause MDHHS believed its process was sufficient to ensure requests were reasonable and appropriate. However, the documentation provided did not substantiate the procedures completed. Effect MDHHS could not demonstrate the costs complied with the applicable federal regulations ensuring reasonableness of the amounts requested. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS maintain sufficient documentation to demonstrate its process to ensure LTC facility COVID-19 testing reimbursement requests are reasonable and appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-010 MARS User Access See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted: a. LEO did not review MARS user access semiannually for privileged accounts or annually for all other accounts. b. LEO did not disable 83 (44%) of 189 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2022. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts and the information system to automatically disable inactive user accounts after 60 days. Cause LEO informed us that because of staffing limitations, some processes could not be followed or established. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients* of federal awards. Known Questioned Costs None. Recommendation We recommend LEO fully establish effective user access controls over MARS. Management Views LEO agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-054 Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Non-Financial Eligibility Documentation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain or maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. We noted the client's case records did not include the following: a. Documentation to support completion of the Family Self-Sufficiency Plan, verifications to support the relationship of the child to the adult on the case record, records to support children older than 6 were attending school full time, and inquiry regarding parole violations for 6 (30%) of 20 sampled TANF-funded Family Independence Program (FIP) payments. b. Completed applications, support for timely completion of the Family Automated Screening Tool, verifications to support the relationship of the child to the adult on the case record, and records to support children older than 6 were attending school full time for 2 (29%) of 7 sampled TANF-COVID-19 funded clothing allowance payments for eligible children receiving FIP or ineligible for FIP due to receiving Supplemental Security Income during September 2022. Criteria Federal regulation 45 CFR 260.20 requires a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires MDHHS to maintain records to support eligibility, including facts to support the client's need for assistance. MDHHS's policies and procedures require documentation used to verify eligibility be maintained in the case file. Also, federal law 42 USC 608(a)(9)(A) states that a state may not provide assistance to any individual who is violating a condition of probation or parole imposed under federal or State law. Further, Public Act 166 of 2022 required MDHHS to allocate an annual clothing allowance to all eligible children in a FIP group. In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures that apply to both the federal award and other activities of the state. Cause For part a., MDHHS informed us its controls were not sufficient to ensure that all of the required verification documentation was appropriately maintained in the client's case record. For part b., MDHHS informed us that because these families received FIP benefits during September 2022, they were eligible for the COVID-19 clothing allowance. However, our review disclosed the two case records did not support FIP eligibility for September 2022. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments to ineligible recipients and because of the high error rates noted. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $8,368 - federal share. ? $56 - State share of costs MDHHS inappropriately used as State maintenance of effort. Recommendation We recommend MDHHS obtain and maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. Management Views MDHHS agrees with the finding.
FINDING 2022-055 Temporary Assistance for Needy Families, ALN 93.558, Reporting - Accuracy of Financial Reports See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not submit accurate financial reports to HHS's Administration for Children and Families (ACF). Our review of the fiscal year 2022 fourth quarter TANF financial report (ACF-196R) noted MDHHS excluded $23.1 million in federal expenditures incurred by LEO. Also, MDHHS inappropriately included these expenditures in its fiscal year 2023 first quarter financial report instead of submitting a corrected fiscal year 2022 financial report for the quarter ended September 30, 2022. Criteria Federal regulation 2 CFR 200.302(b)(2) requires grantees to submit accurate financial data in accordance with a grant program's reporting requirements. The reporting instructions include details for reporting expenditures made in the federal fiscal year for the grant year being reported. The instructions also state revisions to expenditures reported in prior years should be made to the report of the fiscal year in which the expenditure occurred. Cause MDHHS informed us its internal control approval process was not timely and resulted in excluding LEO's fourth quarter interagency billing from the 2022 financial report. Effect MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of TANF funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS improve its internal control and submit revised financial reports to ACF. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-010 MARS User Access See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted: a. LEO did not review MARS user access semiannually for privileged accounts or annually for all other accounts. b. LEO did not disable 83 (44%) of 189 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2022. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts and the information system to automatically disable inactive user accounts after 60 days. Cause LEO informed us that because of staffing limitations, some processes could not be followed or established. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients* of federal awards. Known Questioned Costs None. Recommendation We recommend LEO fully establish effective user access controls over MARS. Management Views LEO agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-054 Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Non-Financial Eligibility Documentation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain or maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. We noted the client's case records did not include the following: a. Documentation to support completion of the Family Self-Sufficiency Plan, verifications to support the relationship of the child to the adult on the case record, records to support children older than 6 were attending school full time, and inquiry regarding parole violations for 6 (30%) of 20 sampled TANF-funded Family Independence Program (FIP) payments. b. Completed applications, support for timely completion of the Family Automated Screening Tool, verifications to support the relationship of the child to the adult on the case record, and records to support children older than 6 were attending school full time for 2 (29%) of 7 sampled TANF-COVID-19 funded clothing allowance payments for eligible children receiving FIP or ineligible for FIP due to receiving Supplemental Security Income during September 2022. Criteria Federal regulation 45 CFR 260.20 requires a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires MDHHS to maintain records to support eligibility, including facts to support the client's need for assistance. MDHHS's policies and procedures require documentation used to verify eligibility be maintained in the case file. Also, federal law 42 USC 608(a)(9)(A) states that a state may not provide assistance to any individual who is violating a condition of probation or parole imposed under federal or State law. Further, Public Act 166 of 2022 required MDHHS to allocate an annual clothing allowance to all eligible children in a FIP group. In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures that apply to both the federal award and other activities of the state. Cause For part a., MDHHS informed us its controls were not sufficient to ensure that all of the required verification documentation was appropriately maintained in the client's case record. For part b., MDHHS informed us that because these families received FIP benefits during September 2022, they were eligible for the COVID-19 clothing allowance. However, our review disclosed the two case records did not support FIP eligibility for September 2022. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments to ineligible recipients and because of the high error rates noted. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $8,368 - federal share. ? $56 - State share of costs MDHHS inappropriately used as State maintenance of effort. Recommendation We recommend MDHHS obtain and maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. Management Views MDHHS agrees with the finding.
FINDING 2022-055 Temporary Assistance for Needy Families, ALN 93.558, Reporting - Accuracy of Financial Reports See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not submit accurate financial reports to HHS's Administration for Children and Families (ACF). Our review of the fiscal year 2022 fourth quarter TANF financial report (ACF-196R) noted MDHHS excluded $23.1 million in federal expenditures incurred by LEO. Also, MDHHS inappropriately included these expenditures in its fiscal year 2023 first quarter financial report instead of submitting a corrected fiscal year 2022 financial report for the quarter ended September 30, 2022. Criteria Federal regulation 2 CFR 200.302(b)(2) requires grantees to submit accurate financial data in accordance with a grant program's reporting requirements. The reporting instructions include details for reporting expenditures made in the federal fiscal year for the grant year being reported. The instructions also state revisions to expenditures reported in prior years should be made to the report of the fiscal year in which the expenditure occurred. Cause MDHHS informed us its internal control approval process was not timely and resulted in excluding LEO's fourth quarter interagency billing from the 2022 financial report. Effect MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of TANF funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS improve its internal control and submit revised financial reports to ACF. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-056 Low-Income Home Energy Assistance, ALN 93.568, Cash Management - Recertification of Clearance Patterns See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the LIHEAP clearance patterns as specified in its fiscal year 2022 TSA, which were last reviewed and updated in its fiscal year 2015 TSA. Criteria Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years. Cause Treasury informed us staff turnover and the transfer of the TSA process to another Treasury office contributed to its delay in the recertification of the clearance patterns. Effect Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend that Treasury review and recertify the accuracy of the clearance patterns specified in the TSA. Management Views Treasury agrees with the finding.
FINDING 2022-057 Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, assets, and proof of energy crisis for 13 (32%) of 41 sampled LIHEAP-funded State Emergency Relief (SER) energy payments. Criteria Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy. MDHHS policy requires county/district office caseworkers to verify and include certain assets or income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy states the payment amount must match the amount on the past due or shut-off notice. Cause MDHHS's internal control and monitoring activities were not sufficient to ensure that county/district office caseworkers adhered to established policies and procedures. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $3,772 ? federal share. Recommendation We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments. Management Views MDHHS agrees with the finding.
FINDING 2022-058 Low-Income Home Energy Assistance, ALN 93.568, Reporting - Annual Report on Households Assisted by LIHEAP See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure the accuracy of the Annual Report on Households Assisted by LIHEAP reported to HHS's ACF. Our review disclosed MDHHS did not accurately report 2 (14%) of 14 line items reviewed. MDHHS did not include 12,799 (4%) applicants for heating assistance and 1,396 (60%) applicants for furnace repair and replacement assistance. Criteria Federal regulation 45 CFR 96.82(b) requires each grantee to submit to the U.S. Department of Health and Human Services, as part of its LIHEAP grant application, data on the number of households receiving LIHEAP assistance during the 12-month period corresponding to the federal fiscal year. The reporting instructions include details for reporting household counts for assisted households and applicant households for the federal fiscal year. Cause MDHHS and DTMB informed us additional applicants were identified in Treasury's home heating credit data after the report was submitted and resulted in underreporting heating assistance applicants. MDHHS and DTMB also informed us an error in DTMB's query language resulted in underreporting furnace repair and replacement applicants. Effect MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of LIHEAP funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure the accuracy of the Annual Report on Households Assisted by LIHEAP reported to HHS's ACF. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-056 Low-Income Home Energy Assistance, ALN 93.568, Cash Management - Recertification of Clearance Patterns See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the LIHEAP clearance patterns as specified in its fiscal year 2022 TSA, which were last reviewed and updated in its fiscal year 2015 TSA. Criteria Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years. Cause Treasury informed us staff turnover and the transfer of the TSA process to another Treasury office contributed to its delay in the recertification of the clearance patterns. Effect Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend that Treasury review and recertify the accuracy of the clearance patterns specified in the TSA. Management Views Treasury agrees with the finding.
FINDING 2022-057 Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, assets, and proof of energy crisis for 13 (32%) of 41 sampled LIHEAP-funded State Emergency Relief (SER) energy payments. Criteria Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy. MDHHS policy requires county/district office caseworkers to verify and include certain assets or income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy states the payment amount must match the amount on the past due or shut-off notice. Cause MDHHS's internal control and monitoring activities were not sufficient to ensure that county/district office caseworkers adhered to established policies and procedures. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $3,772 ? federal share. Recommendation We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments. Management Views MDHHS agrees with the finding.
FINDING 2022-058 Low-Income Home Energy Assistance, ALN 93.568, Reporting - Annual Report on Households Assisted by LIHEAP See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure the accuracy of the Annual Report on Households Assisted by LIHEAP reported to HHS's ACF. Our review disclosed MDHHS did not accurately report 2 (14%) of 14 line items reviewed. MDHHS did not include 12,799 (4%) applicants for heating assistance and 1,396 (60%) applicants for furnace repair and replacement assistance. Criteria Federal regulation 45 CFR 96.82(b) requires each grantee to submit to the U.S. Department of Health and Human Services, as part of its LIHEAP grant application, data on the number of households receiving LIHEAP assistance during the 12-month period corresponding to the federal fiscal year. The reporting instructions include details for reporting household counts for assisted households and applicant households for the federal fiscal year. Cause MDHHS and DTMB informed us additional applicants were identified in Treasury's home heating credit data after the report was submitted and resulted in underreporting heating assistance applicants. MDHHS and DTMB also informed us an error in DTMB's query language resulted in underreporting furnace repair and replacement applicants. Effect MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of LIHEAP funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure the accuracy of the Annual Report on Households Assisted by LIHEAP reported to HHS's ACF. Management Views MDHHS agrees with the finding.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-059 Social Services Block Grant, ALN 93.667, Reporting - Post-Expenditure Report See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not submit an accurate post-expenditure report to ACF. Our review of the fiscal year 2022 Social Services Block Grant (SSBG) Post-Expenditure Report noted MDHHS inappropriately excluded 21,162 recipients who received Independent Living Services (ILS) funded by the SSBG program, resulting in a 13% understatement of total recipients on the report. Criteria Federal law 42 USC 1397e requires each state to prepare and submit an annual postexpenditure report to include the number of individuals who received services paid for in whole or in part with funds and the amount spent in providing each type of service. The SSBG Post Expenditure Report instructions provide that the total number of recipients includes all recipients of services supported by the total expenditures. Cause MDHHS informed us ILS recipients were excluded from the SSBG Post-Expenditure Report because it misunderstood information provided by the auditors in fiscal year 2021. Subsequent to our review, MDHHS submitted a revised report and included these recipients. Effect MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of SSBG funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS submit accurate post-expenditure reports and include all individuals receiving SSBG supported services. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-002 SIGMA High-Risk Activity Monitoring See Schedule of Findings and Questioned Costs for chart/table. Condition DTMB did not sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. We noted DTMB did not perform the high-risk activity monitoring in a timely manner for all 6 sampled reports. DTMB provided evidence it reviewed the reports; however, on average, these reviews were completed 313 days after the reporting periods. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse. Cause DTMB informed us a lack of oversight prevented the timely review of high-risk activity reports, and it has since reassigned staff responsibilities accordingly. Effect Individuals may have made inappropriate bypass or override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists that DTMB did not identify inappropriate or high-risk activity associated with SIGMA transactions. Known Questioned Costs None. Recommendation We recommend DTMB sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. Management Views DTMB agrees with the finding.
FINDING 2022-026 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC), ALN 93.323 and Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036 - Long-Term Care (LTC) Facility COVID-19 Testing Reimbursements See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation to demonstrate a process was in place to ensure long-term care (LTC) facility COVID-19 testing reimbursement requests, totaling $48.5 million ($46.4 million Disaster Grants - Public Assistance (Presidentially Declared Disasters) and $2.1 million ELC), were reasonable and appropriate. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over the federal award that provides reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulations 2 CFR 200 and 5 CFR 75 require costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause MDHHS believed its process was sufficient to ensure requests were reasonable and appropriate. However, the documentation provided did not substantiate the procedures completed. Effect MDHHS could not demonstrate the costs complied with the applicable federal regulations ensuring reasonableness of the amounts requested. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS maintain sufficient documentation to demonstrate its process to ensure LTC facility COVID-19 testing reimbursement requests are reasonable and appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-060 Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSP did not ensure that it timely reported Disaster Grants - Public Assistance subaward information as required by FFATA. We reviewed 8 subawards totaling $5,961,983 and noted MSP did not timely report subaward information for 3 (38%) subawards totaling $1,876,788. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MSP report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MSP informed us that responding to the unprecedented challenges of the COVID-19 pandemic and several other Michigan disasters with limited resources impacted its ability to complete FFATA reporting timely. Effect MSP grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSP ensure it timely reports the Disaster Grants - Public Assistance subaward information as required by FFATA. Management Views MSP agrees with the finding.
FINDING 2022-061 Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Subrecipient Monitoring - Subrecipient Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MSP did not appropriately monitor its subrecipients to ensure they complied with the Uniform Guidance. MSP utilized a tracking sheet to identify those subrecipients that required a single audit and a form to document its review of subrecipient single audits. We sampled 5 subrecipients and noted for 2 (40%): a. MSP did not appropriately identify or document if the subrecipients required a single audit. Therefore, MSP did not monitor these subrecipients to ensure the status or submission of their single audit reports. We verified both subrecipients obtained the required single audits. b. MSP did not complete single audit report review forms. Therefore, MSP did not take steps to determine whether a management decision letter was needed. We verified there were no findings related to both subrecipients' federal awards. Criteria Federal regulation 2 CFR 200.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 2 CFR 200.332(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 2 CFR 200.521(d) requires MSP to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the FAC. Cause MSP informed us a miscommunication between its staff regarding its query of subrecipient expenditure data resulted in subrecipients being excluded from the tracking sheet. Effect MSP limited the State's assurance that its subrecipients complied with grant requirements and implemented corrective actions for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to MSP's records. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSP appropriately monitor its subrecipients to ensure they comply with the Uniform Guidance. Management Views MSP agrees with the finding.
FINDING 2022-002 SIGMA High-Risk Activity Monitoring See Schedule of Findings and Questioned Costs for chart/table. Condition DTMB did not sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. We noted DTMB did not perform the high-risk activity monitoring in a timely manner for all 6 sampled reports. DTMB provided evidence it reviewed the reports; however, on average, these reviews were completed 313 days after the reporting periods. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse. Cause DTMB informed us a lack of oversight prevented the timely review of high-risk activity reports, and it has since reassigned staff responsibilities accordingly. Effect Individuals may have made inappropriate bypass or override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists that DTMB did not identify inappropriate or high-risk activity associated with SIGMA transactions. Known Questioned Costs None. Recommendation We recommend DTMB sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. Management Views DTMB agrees with the finding.
FINDING 2022-026 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC), ALN 93.323 and Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036 - Long-Term Care (LTC) Facility COVID-19 Testing Reimbursements See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation to demonstrate a process was in place to ensure long-term care (LTC) facility COVID-19 testing reimbursement requests, totaling $48.5 million ($46.4 million Disaster Grants - Public Assistance (Presidentially Declared Disasters) and $2.1 million ELC), were reasonable and appropriate. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over the federal award that provides reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulations 2 CFR 200 and 5 CFR 75 require costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause MDHHS believed its process was sufficient to ensure requests were reasonable and appropriate. However, the documentation provided did not substantiate the procedures completed. Effect MDHHS could not demonstrate the costs complied with the applicable federal regulations ensuring reasonableness of the amounts requested. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS maintain sufficient documentation to demonstrate its process to ensure LTC facility COVID-19 testing reimbursement requests are reasonable and appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-060 Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSP did not ensure that it timely reported Disaster Grants - Public Assistance subaward information as required by FFATA. We reviewed 8 subawards totaling $5,961,983 and noted MSP did not timely report subaward information for 3 (38%) subawards totaling $1,876,788. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MSP report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MSP informed us that responding to the unprecedented challenges of the COVID-19 pandemic and several other Michigan disasters with limited resources impacted its ability to complete FFATA reporting timely. Effect MSP grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSP ensure it timely reports the Disaster Grants - Public Assistance subaward information as required by FFATA. Management Views MSP agrees with the finding.
FINDING 2022-061 Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Subrecipient Monitoring - Subrecipient Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MSP did not appropriately monitor its subrecipients to ensure they complied with the Uniform Guidance. MSP utilized a tracking sheet to identify those subrecipients that required a single audit and a form to document its review of subrecipient single audits. We sampled 5 subrecipients and noted for 2 (40%): a. MSP did not appropriately identify or document if the subrecipients required a single audit. Therefore, MSP did not monitor these subrecipients to ensure the status or submission of their single audit reports. We verified both subrecipients obtained the required single audits. b. MSP did not complete single audit report review forms. Therefore, MSP did not take steps to determine whether a management decision letter was needed. We verified there were no findings related to both subrecipients' federal awards. Criteria Federal regulation 2 CFR 200.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 2 CFR 200.332(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 2 CFR 200.521(d) requires MSP to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the FAC. Cause MSP informed us a miscommunication between its staff regarding its query of subrecipient expenditure data resulted in subrecipients being excluded from the tracking sheet. Effect MSP limited the State's assurance that its subrecipients complied with grant requirements and implemented corrective actions for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to MSP's records. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSP appropriately monitor its subrecipients to ensure they comply with the Uniform Guidance. Management Views MSP agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-027 SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS should ensure it obtains and reviews System and Organization Controls (SOC) reports* covering the entire audit period for services provided by the State's electronic benefits transfer (EBT) service provider. We noted: a. MDHHS did not obtain and review the SOC report or obtain a bridge letter for the EBT service provider who provided services for the first month of fiscal year 2022 b. MDHHS did not obtain a bridge letter for the period not covered by the SOC report for 2 of the 4 SOC reports reviewed. c. MDHHS did not review and evaluate 2 of the 4 SOC reports received. d. MDHHS did not timely review the remaining 2 SOC reports received. Reviews occurred, on average, 124 days past the required 30 days. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits. The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG provides required SOC report review procedures and requires management to complete the review within 30 days of receiving the SOC report. Cause MDHHS stated competing priorities delayed the SOC report reviews and it did not believe they needed to review two of the SOC reports. Effect MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it obtains and reviews SOC reports covering the entire audit period for services provided by the State's EBT service provider. Management Views MDHHS agrees with the finding.
FINDING 2022-028 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury. Condition MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process. Criteria Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government. Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the ACH. Cause MDHHS informed us that because its Benefit Issuer Food Stamp Report did not include recipients who received SNAP benefits under the expanded COVID-19 eligibility requirements, it was unable to complete the reconciliation. MDHHS also noted a change in its EBT contractor contributed to the delay in modifying the report. Effect Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw. Management Views MDHHS agrees with the finding.
FINDING 2022-029 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Card Security See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure its EBT contractor conducted monthly physical inventories of EBT cards used to provide SNAP benefits to eligible individuals. MDHHS could not provide 1 (8%) of the 12 monthly reports used by the contractor to monitor EBT cards issued and replaced. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.8(b)(3) requires states to maintain adequate security over EBT cards to prevent theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use. Cause MDHHS stated a change in the EBT contractor prevented it from obtaining the October 2021 report because the prior contractor decommissioned Michigan's EBT server. Effect MDHHS cannot determine how many EBT cards were issued or replaced during October 2021. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure its EBT contractor conducts monthly physical inventories of EBT cards to monitor EBT cards issued and replaced. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-027 SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS should ensure it obtains and reviews System and Organization Controls (SOC) reports* covering the entire audit period for services provided by the State's electronic benefits transfer (EBT) service provider. We noted: a. MDHHS did not obtain and review the SOC report or obtain a bridge letter for the EBT service provider who provided services for the first month of fiscal year 2022 b. MDHHS did not obtain a bridge letter for the period not covered by the SOC report for 2 of the 4 SOC reports reviewed. c. MDHHS did not review and evaluate 2 of the 4 SOC reports received. d. MDHHS did not timely review the remaining 2 SOC reports received. Reviews occurred, on average, 124 days past the required 30 days. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits. The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG provides required SOC report review procedures and requires management to complete the review within 30 days of receiving the SOC report. Cause MDHHS stated competing priorities delayed the SOC report reviews and it did not believe they needed to review two of the SOC reports. Effect MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it obtains and reviews SOC reports covering the entire audit period for services provided by the State's EBT service provider. Management Views MDHHS agrees with the finding.
FINDING 2022-028 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury. Condition MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process. Criteria Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government. Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the ACH. Cause MDHHS informed us that because its Benefit Issuer Food Stamp Report did not include recipients who received SNAP benefits under the expanded COVID-19 eligibility requirements, it was unable to complete the reconciliation. MDHHS also noted a change in its EBT contractor contributed to the delay in modifying the report. Effect Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw. Management Views MDHHS agrees with the finding.
FINDING 2022-029 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Card Security See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure its EBT contractor conducted monthly physical inventories of EBT cards used to provide SNAP benefits to eligible individuals. MDHHS could not provide 1 (8%) of the 12 monthly reports used by the contractor to monitor EBT cards issued and replaced. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.8(b)(3) requires states to maintain adequate security over EBT cards to prevent theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use. Cause MDHHS stated a change in the EBT contractor prevented it from obtaining the October 2021 report because the prior contractor decommissioned Michigan's EBT server. Effect MDHHS cannot determine how many EBT cards were issued or replaced during October 2021. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure its EBT contractor conducts monthly physical inventories of EBT cards to monitor EBT cards issued and replaced. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-027 SNAP Cluster, ALN 10.551 and 10.561, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - System and Organization Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS should ensure it obtains and reviews System and Organization Controls (SOC) reports* covering the entire audit period for services provided by the State's electronic benefits transfer (EBT) service provider. We noted: a. MDHHS did not obtain and review the SOC report or obtain a bridge letter for the EBT service provider who provided services for the first month of fiscal year 2022 b. MDHHS did not obtain a bridge letter for the period not covered by the SOC report for 2 of the 4 SOC reports reviewed. c. MDHHS did not review and evaluate 2 of the 4 SOC reports received. d. MDHHS did not timely review the remaining 2 SOC reports received. Reviews occurred, on average, 124 days past the required 30 days. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.1(i)(2) requires states to obtain a SOC report by an independent auditor of the state EBT service provider regarding the issuance, redemption, and settlement of benefits under SNAP, and the SOC report must cover the entire period since the previous examination. The SOC report must follow EBT guidance as indicated in various federal regulations and Appendix VIII of the OMB Compliance Supplement to the extent the guidelines relate to SNAP benefits. The State of Michigan Financial Management Guide (FMG) (Part VII, Chapter 1, Section 1000) prescribes guidelines for departments to assess and manage risks associated with third-party relationships. Departments need to understand and/or evaluate risks and the controls each service organization designs, implements, and operates for the assigned operational process and how the service organization's internal control system impacts the department's internal control system. The FMG provides required SOC report review procedures and requires management to complete the review within 30 days of receiving the SOC report. Cause MDHHS stated competing priorities delayed the SOC report reviews and it did not believe they needed to review two of the SOC reports. Effect MDHHS cannot ensure general controls of vendor-hosted systems are sufficient to ensure the security of the issuance, redemption, and settlement of EBT benefits. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it obtains and reviews SOC reports covering the entire audit period for services provided by the State's EBT service provider. Management Views MDHHS agrees with the finding.
FINDING 2022-028 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Reconciliations See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS is responsible for determining eligibility for SNAP benefits. The State's EBT provider then provides the SNAP recipient with a debit card which can be used for food purchases at authorized retailer stores. The State's EBT contractor is responsible for paying retailers that have accepted EBT cards for qualified purchases. The EBT contractor then receives funds from the State, via wire transfer, as reimbursement for the retail purchases. MDHHS is responsible for reconciling the payments made to retailers by its EBT contractor with the amounts drawn from its EBT account with the U.S. Department of the Treasury. Condition MDHHS did not complete daily reconciliations of payments made to retailers by its EBT contractor with the client information recorded in its system and the reports used to make the federal draw. MDHHS developed the Benefit Issuer Food Stamp Report to summarize the total detailed daily client SNAP activity reported by its EBT contractor; however, because of inaccuracies, MDHHS did not use the report in its reconciliation process. Criteria Federal regulation 7 CFR 274.1(i)(1) requires state agencies to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies and to report any violations to the federal government. Also, federal regulation 7 CFR 274.4(a) requires state agencies to reconcile total EBT funds entering into, exiting from, and remaining in the EBT contractor's system each day and to verify retailer credit against the deposit information entered in the ACH. Cause MDHHS informed us that because its Benefit Issuer Food Stamp Report did not include recipients who received SNAP benefits under the expanded COVID-19 eligibility requirements, it was unable to complete the reconciliation. MDHHS also noted a change in its EBT contractor contributed to the delay in modifying the report. Effect Without proper reconciliation procedures in place, MDHHS could not ensure daily SNAP payment amounts recorded in its system were accurate. We consider this to be a material weakness and material noncompliance because of the amount of SNAP benefits issued through the EBT process and because this required daily reconciliation was not in place in fiscal year 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS complete daily reconciliations of payments made to retailers by its EBT contractor with client information recorded in its system and the reports used to make the federal draw. Management Views MDHHS agrees with the finding.
FINDING 2022-029 SNAP Cluster, ALN 10.551 and 10.561, Special Tests and Provisions - EBT Card Security See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure its EBT contractor conducted monthly physical inventories of EBT cards used to provide SNAP benefits to eligible individuals. MDHHS could not provide 1 (8%) of the 12 monthly reports used by the contractor to monitor EBT cards issued and replaced. Criteria Federal regulation 7 CFR 274.1(i)(1) requires states to establish procedures to monitor SNAP benefit issuers to ensure their operations comply with SNAP requirements, including the identification and correction of deficiencies, and to report any violations to the federal government. Also, federal regulation 7 CFR 274.8(b)(3) requires states to maintain adequate security over EBT cards to prevent theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use. Cause MDHHS stated a change in the EBT contractor prevented it from obtaining the October 2021 report because the prior contractor decommissioned Michigan's EBT server. Effect MDHHS cannot determine how many EBT cards were issued or replaced during October 2021. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure its EBT contractor conducts monthly physical inventories of EBT cards to monitor EBT cards issued and replaced. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-030 Food Distribution Cluster, ALN 10.565, 10.568, and 10.569, Special Tests and Provisions - Accountability for USDA Foods See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not adequately review the records of eligible recipient agencies (ERAs) receiving and distributing USDA donated foods through The Emergency Food Assistance Program (TEFAP) (Food Commodities), ALN 10.569. Our review of 6 of 29 ERAs disclosed: a. MDE discontinued the reporting period reconciliations beginning in April 2022 impacting all 6 sampled ERAs. b. For 2 TEFAP food receipt and distribution reports received prior to April 2022, MDE did not document and follow up on food inventory activity differences. Criteria Federal regulation 7 CFR 251.10(e) requires MDE to monitor TEFAP operations to ensure the program is administered in accordance with federal and State requirements. MDE's TEFAP State Plan requires each ERA to submit a quarterly inventory record which is to be reviewed by MDE to ensure USDA foods are distributed in appropriate amounts to households. As part of its monitoring procedures, MDE required ERAs to submit food receipt and distribution reports at least quarterly for reconciliation of donated food shipments with Food and Nutrition Service (FNS) web-based supply chain management reports. Cause MDE informed us it was developing a new monitoring process because it believed the reconciliations were inefficient and not reflective of TEFAP inventory movement. As a result, it discontinued the reconciliations and no longer required ERAs to submit the food receipt and distribution reports for the last 6 months of fiscal year 2022. Effect We consider this to be a material weakness and material noncompliance because MDE did not monitor USDA donated foods for the last 6 months of fiscal year 2022. Failure to comply with recordkeeping requirements may result in the loss or misuse of donated foods. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE adequately review records of ERAs receiving and distributing USDA donated foods through TEFAP. Management Views MDE agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-031 Pandemic EBT Food Benefits, ALN 10.542, Activities Allowed or Unallowed and Eligibility - Overpayment of Benefits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not always ensure accurate P-EBT benefits were provided to eligible beneficiaries. We noted for 1 (4%) of the 26 sampled cases reviewed, MDHHS duplicated the summer benefits resulting in an overpayment of $782. Criteria The Families First Coronavirus Response Act of 2020 (Public Law 116-127), as amended, requires MDHHS to have an approved state plan to provide P-EBT food benefits to households with children who would otherwise receive free or reduced-price meals if not for their schools being closed because of the COVID-19 emergency. MDHHS's P-EBT State Plan states it will provide the standard benefit amount for the summer period and will identify the eligible children based on eligibility in the last month of the school year. Cause MDHHS informed us that because of the timing of the 2022-2023 school enrollment for these children, a system error duplicated the 2022 summer benefits. Effect MDHHS overpaid P-EBT benefits by $782 for the sampled cases. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $782 ? federal share. Recommendation We recommend MDHHS ensure accurate P-EBT benefits are provided to eligible beneficiaries. Management Views MDHHS agrees with the finding.
FINDING 2022-032 Pandemic EBT Food Benefits, ALN 10.542, Reporting ? Report of Disaster Supplemental Nutrition Assistance Benefit Issuance See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not have a process in place to ensure it maintained documentation to support the submitted Report of Disaster Supplemental Nutrition Assistance Benefit Issuance (FNS-292B). For all 3 sampled reports, MDHHS did not retain auditable submitted information, such as copies or screen prints of submitted reports. Rather, MDHHS provided us an e-mail disclosing the information which it represented as submitted. Criteria Federal regulation 2 CFR 200.334 requires financial records, supporting documents, statistical records, and all other nonfederal entity records pertinent to a federal award must be retained for a period of three years from the date of submission of the final expenditure report. Federal Register 86:89 (11 May 2021) page 25,837 requires state agencies to report the number of eligible children and households receiving P-EBT benefits and total value of the benefits monthly. Cause MDHHS informed us it electronically submitted the FNS-292B using the Food Program Reporting System (FPRS), but it did not retain copies of the submitted reports and the submitted reports were not available in FPRS. Effect We were unable to validate the information submitted to USDA on the FNS-292B. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS establish a process to ensure it maintains documentation to support submitted FNS-292B reports. Management Views MDHHS disagrees that federal regulations require MDHHS to maintain copies or screenshots of FNS-292B information reported on the federal website. MDHHS normally has the ability to access the information on the federal system. However, during audit fieldwork, the FNS-292B information MDHHS submitted on the federal website was not viewable to the auditors because the reports were under federal review. MDHHS did not a retain a copy or screen prints of the submitted reports; however, MDHHS did maintain the underlying reports used to compile the submitted FNS-292B reports and this was provided to the auditors during fieldwork. Auditor's Comments to Management View MDHHS acknowledges it did not maintain a copy or screen prints of submitted reports. Documentation of submitted reports is necessary to provide auditable information to validate the accuracy of the report submission. MDHHS provided a spreadsheet and an e-mail disclosing the information which it represented as submitted; however, this information did not substantiate the FNS-292B was accurately submitted. Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-001 Confidential Information in SIGMA* See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Military and Veterans Affairs (DMVA) and the Michigan Department of State Police (MSP) included user identification (ID) numbers, deemed confidential information by the Department of Technology, Management, and Budget (DTMB) policy, within document attachments when entering program expenditures in the Statewide Integrated Governmental Management Applications (SIGMA). Criteria Title 2, Part 200, section 303(e) of the Code of Federal Regulations* (CFR) requires the State to take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive or the State considers sensitive consistent with applicable federal, state, local, and tribal laws regarding privacy and obligations of confidentiality*. State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity*, and availability* of State of Michigan information. The policy also requires State agencies to identify and classify their information assets based on sensitivity, criticality, and risk. State of Michigan (SOM) Technical Standard 1340.00.150.02 provides a data classification framework, including examples of confidential and restricted data, to assist State agencies in protecting the confidentiality, integrity, and availability of their systems and information. DTMB Administrative Policy 900.01, last revised in November 2016, established a data classification framework for its information assets, which includes SIGMA. Also, the policy defines and provides examples of confidential data, such as user IDs. Cause SIGMA users were unaware of the DTMB policy identifying user ID as confidential information. When DTMB Administrative Policy 900.01 was originally drafted, user ID was included as an example since the data element could be considered confidential by an organization unit. Effect State employees without a business need had the ability to view confidential information in SIGMA. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend DMVA and MSP adhere to established DTMB policies for confidential information in SIGMA. Management Views DMVA and MSP disagree that confidential information was included in SIGMA. Follow-up with DTMB confirmed that user ID is not considered confidential data at the DTMB enterprise level. Auditor's Comments to Management Views* In June 2023, subsequent to our review, DTMB revised the DTMB Administrative Policy 900.01. These revisions do not negate that a significant deficiency existed in fiscal year 2022. Therefore, the finding stands as written.
FINDING 2022-002 SIGMA High-Risk Activity Monitoring See Schedule of Findings and Questioned Costs for chart/table. Condition DTMB did not sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. We noted DTMB did not perform the high-risk activity monitoring in a timely manner for all 6 sampled reports. DTMB provided evidence it reviewed the reports; however, on average, these reviews were completed 313 days after the reporting periods. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse. Cause DTMB informed us a lack of oversight prevented the timely review of high-risk activity reports, and it has since reassigned staff responsibilities accordingly. Effect Individuals may have made inappropriate bypass or override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists that DTMB did not identify inappropriate or high-risk activity associated with SIGMA transactions. Known Questioned Costs None. Recommendation We recommend DTMB sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. Management Views DTMB agrees with the finding.
FINDING 2022-033 National Guard Military Operations and Maintenance (O&M) Projects, ALN 12.401, Cash Management - Timeliness of Cash Draws See Schedule of Findings and Questioned Costs for chart/table. Condition DMVA did not ensure its reimbursement requests were prepared in accordance with the CMIA, the program Master Cooperative Agreement, and National Guard Regulations. We sampled 40 cash draws and noted: a. DMVA prepared reimbursement requests from 71 to 189 days after the close of the month for 5 (13%) sampled cash draws. b. DMVA did not maintain documentation to support the timeliness of reimbursement requests for 5 (13%) sampled cash draws. c. DMVA did not timely submit an expenditure report for federal approval for 1 (3%) sampled cash draw. Criteria Federal regulation 31 CFR 205 Subpart B and the Master Cooperative Agreement require a State must minimize the time between the drawdown of federal funds from the federal government and their disbursement for federal program purposes. The timing and amount of funds transfers must be as close as is administratively feasible to a state's actual cash outlay for direct program costs. National Guard Regulation 5-1 requires the grantee to expend state government funds first and then to submit request for reimbursement for allowable cooperative agreement costs. For construction appendices, DMVA sends the expenditure reports to the federal Construction and Facilities Management Officer (CFMO) for review and approval of the federal coding to be applied prior to DMVA preparing the reimbursement request. After the CFMO approves the coding, DMVA prepares the SF-270 and sends it back to the CFMO for final approval and submission to the United States Property and Fiscal Office. Cause DMVA informed us year-end closing activities and delays in receiving information from federal program managers impacted the timeliness of draws. Effect DMVA limited its assurance it complied with CMIA. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend DMVA ensure its reimbursement requests are prepared in accordance with the CMIA, the program Master Cooperative Agreement, and National Guard Regulations. Management Views DMVA agrees with the finding.
FINDING 2022-034 Community Development Block Grants/State's program, ALN 14.228, Reporting - Timeliness of Performance Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSHDA did not ensure timely submission of the Consolidated Annual Performance and Evaluation Report. We noted MSHDA's 2021 program year report, which included Community Development Block Grant (CDBG) performance information compiled by the Michigan Strategic Fund (MSF), was due in September 2022 but was not submitted until March 2023. Criteria Federal regulation 24 CFR 91.520 requires an annual review and report of the progress made in carrying out a jurisdiction's strategic and action plans. This performance report is required to be submitted to the U.S. Department of Housing and Urban Development (HUD) within 90 days after the close of MSHDA's program year. Cause MSHDA informed us the 2021 program year report was not submitted timely because of miscommunication among its staff. MSHDA inaccurately believed a federal waiver applicable to the report due in fiscal year 2021 was still applicable for the report due in fiscal year 2022. Effect MSHDA may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of HUD funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSHDA ensure it timely submits the Consolidated Annual Performance and Evaluation Report. Management Views MSHDA agrees with the finding.
FINDING 2022-035 Community Development Block Grants/State's program, ALN 14.228, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSF did not ensure it reported all CDBG subawards as required by FFATA. We reviewed 36 subawards totaling $70,219,077 and noted MSF did not report 2 (6%) subawards totaling $7,675,940. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MSF to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MSF informed us these 2 subrecipients did not register for a unique entity identifier, which was required for FFATA reporting as of April 4, 2022. Effect MSF grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSF ensure it reports all CDBG subawards as required by FFATA. Management Views MSF agrees with the finding.
FINDING 2022-034 Community Development Block Grants/State's program, ALN 14.228, Reporting - Timeliness of Performance Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSHDA did not ensure timely submission of the Consolidated Annual Performance and Evaluation Report. We noted MSHDA's 2021 program year report, which included Community Development Block Grant (CDBG) performance information compiled by the Michigan Strategic Fund (MSF), was due in September 2022 but was not submitted until March 2023. Criteria Federal regulation 24 CFR 91.520 requires an annual review and report of the progress made in carrying out a jurisdiction's strategic and action plans. This performance report is required to be submitted to the U.S. Department of Housing and Urban Development (HUD) within 90 days after the close of MSHDA's program year. Cause MSHDA informed us the 2021 program year report was not submitted timely because of miscommunication among its staff. MSHDA inaccurately believed a federal waiver applicable to the report due in fiscal year 2021 was still applicable for the report due in fiscal year 2022. Effect MSHDA may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of HUD funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSHDA ensure it timely submits the Consolidated Annual Performance and Evaluation Report. Management Views MSHDA agrees with the finding.
FINDING 2022-035 Community Development Block Grants/State's program, ALN 14.228, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSF did not ensure it reported all CDBG subawards as required by FFATA. We reviewed 36 subawards totaling $70,219,077 and noted MSF did not report 2 (6%) subawards totaling $7,675,940. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MSF to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MSF informed us these 2 subrecipients did not register for a unique entity identifier, which was required for FFATA reporting as of April 4, 2022. Effect MSF grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSF ensure it reports all CDBG subawards as required by FFATA. Management Views MSF agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-036 Crime Victim Assistance, ALN 16.575, Eligibility - Subrecipient Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not have a process in place to ensure subrecipients met all federal eligibility requirements prior to awarding funds. Our review of 21 subrecipients noted the application documents and agreements lacked specific subrecipient eligibility requirements, such as the subrecipients' identification of financial support from sources other than the award or that they do not discriminate against victims because they disagree with the way the State is prosecuting the criminal case. We were able to determine the subrecipients' eligibility based on information provided subsequent to the award. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal law 34 USC 20103(b) requires MDHHS subrecipients to meet specific requirements to be eligible to receive a grant award. Cause MDHHS informed us that during its process to align policies and procedures for multiple programs, some intended eligibility requirements were inadvertently excluded from some subrecipient agreements. Effect Without a process and internal control in place to ensure subrecipient eligibility, MDHHS may have made payments to ineligible subrecipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS establish a process to ensure subrecipients meet all federal eligibility requirements prior to awarding funds. Management Views MDHHS agrees with the finding.
FINDING 2022-037 Crime Victim Assistance, ALN 16.575, Subrecipient Monitoring - Risk Assessment and During-the-Award Monitoring See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not sufficiently monitor and evaluate the risk of noncompliance with program requirements. We noted: a. MDHHS did not sufficiently monitor service activity for 3 (14%) of 21 subrecipients during fiscal year 2022. For 2 of the 3 subrecipients, MDHHS did not monitor the service activity for all quarters of fiscal year 2022. For 1 of the 3 subrecipients, MDHHS did not require the subrecipient to provide service activity data for its review. b. MDHHS did not evaluate 1 (5%) of 21 subrecipient's risk of noncompliance with program requirements to determine and implement the type of monitoring appropriate for the subrecipient. Criteria Federal regulation 2 CFR 200.332(d) requires MDHHS to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. In addition, federal regulation 2 CFR 200.332(b) requires MDHHS to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. As part of its monitoring procedures, MDHHS reviews subrecipient service activity data. Cause For part a., MDHHS informed us data was reviewed and certified by the grantee, but MDHHS did not document its review in the log. For the service activity data that was not reviewed, MDHHS believed the administrative portion of the Crime Victims Assistance funds did not require service activity reports. For part b., MDHHS informed us it completes its annual risk assessment by November 15 and adjusts its monitoring plan for any awards issued through March 31. The grant agreement commenced May 1, 2022 and continued through September 30, 2022 and, therefore, was not included in the fiscal year 2022 monitoring plan. Effect Insufficient monitoring and evaluation of subrecipients could increase the subrecipients' and MDHHS's noncompliance with federal statutes, regulations, or the terms and conditions of federal awards. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS sufficiently monitor and evaluate the risk of noncompliance with program requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-010 MARS User Access See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted: a. LEO did not review MARS user access semiannually for privileged accounts or annually for all other accounts. b. LEO did not disable 83 (44%) of 189 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2022. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts and the information system to automatically disable inactive user accounts after 60 days. Cause LEO informed us that because of staffing limitations, some processes could not be followed or established. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients* of federal awards. Known Questioned Costs None. Recommendation We recommend LEO fully establish effective user access controls over MARS. Management Views LEO agrees with the finding.
FINDING 2022-038 WIOA Cluster, ALN 17.258, 17.259, and 17.278, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition LEO did not ensure it timely reported WIOA Cluster subaward information required by the FFATA. We tested 25 subawards totaling $15,812,845 and noted LEO did not timely report subaward information for 10 (40%) subawards totaling $9,013,017. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires LEO report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause LEO informed us competing priorities impacted its ability to timely complete FFATA reporting. Effect LEO grant information was not available timely for public access through the federal website established to improve transparency of government spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend LEO ensure that it timely reports WIOA Cluster subaward information as required by FFATA. Management Views LEO agrees with the finding.
FINDING 2022-010 MARS User Access See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted: a. LEO did not review MARS user access semiannually for privileged accounts or annually for all other accounts. b. LEO did not disable 83 (44%) of 189 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2022. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts and the information system to automatically disable inactive user accounts after 60 days. Cause LEO informed us that because of staffing limitations, some processes could not be followed or established. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients* of federal awards. Known Questioned Costs None. Recommendation We recommend LEO fully establish effective user access controls over MARS. Management Views LEO agrees with the finding.
FINDING 2022-038 WIOA Cluster, ALN 17.258, 17.259, and 17.278, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition LEO did not ensure it timely reported WIOA Cluster subaward information required by the FFATA. We tested 25 subawards totaling $15,812,845 and noted LEO did not timely report subaward information for 10 (40%) subawards totaling $9,013,017. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires LEO report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause LEO informed us competing priorities impacted its ability to timely complete FFATA reporting. Effect LEO grant information was not available timely for public access through the federal website established to improve transparency of government spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend LEO ensure that it timely reports WIOA Cluster subaward information as required by FFATA. Management Views LEO agrees with the finding.
FINDING 2022-010 MARS User Access See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted: a. LEO did not review MARS user access semiannually for privileged accounts or annually for all other accounts. b. LEO did not disable 83 (44%) of 189 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2022. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts and the information system to automatically disable inactive user accounts after 60 days. Cause LEO informed us that because of staffing limitations, some processes could not be followed or established. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients* of federal awards. Known Questioned Costs None. Recommendation We recommend LEO fully establish effective user access controls over MARS. Management Views LEO agrees with the finding.
FINDING 2022-038 WIOA Cluster, ALN 17.258, 17.259, and 17.278, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition LEO did not ensure it timely reported WIOA Cluster subaward information required by the FFATA. We tested 25 subawards totaling $15,812,845 and noted LEO did not timely report subaward information for 10 (40%) subawards totaling $9,013,017. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires LEO report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause LEO informed us competing priorities impacted its ability to timely complete FFATA reporting. Effect LEO grant information was not available timely for public access through the federal website established to improve transparency of government spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend LEO ensure that it timely reports WIOA Cluster subaward information as required by FFATA. Management Views LEO agrees with the finding.
FINDING 2022-062 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance and Material Weakness Compliance Requirement: Allowable Costs/Cost Principles and Eligibility Known Questioned Costs: Undeterminable Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: The federal government set a prescribed claim progression and eligibility requirements for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for regular unemployment compensation, the claimant is ineligible for receiving benefits under the Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must exhaust all rights to benefits under the previous claim type within the progression to become eligible for the subsequent claim type. Condition: In certain instances, the benefit system allowed for the payment of benefits under the PUA, PEUC, and EB programs when claimants were eligible for regular unemployment compensation or prior to the exhaustion of the previous claim type within the progression. Cause: Proper controls were not set within the benefit system to ensure proper eligibility and claim progression. Effect: Payments of benefits under federal programs have no net effect on the net position of the Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under regular unemployment compensation reduce the net position of the Fund. Additionally, improper payments of benefits under federal programs create unallowed federal costs. Recommendation: We recommend that the Agency improve controls in the benefit system to ensure proper eligibility and claim progression. Views of Responsible Officials: Management agrees with the finding. Programming in currently in development to correct weeks paid and charged under one program which should have been paid and charged under a different program. A high priority focus is being given to weeks paid on PUA instead of EB and EB paid beyond the high unemployment period (HUP). Open SQRs to resolve this finding include: SQR 28182 ? Weeks Number; SQR 36521 ? Weeks Transfer Waivers; SQR 35565 ? EB WeeksDelta Correction; and SQR 35994 WeeksDelta Overpayment Waiver. The expected completion date is December 31, 2023.
FINDING 2022-063 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-002. Finding 2022-002 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Various Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments Known Questioned Costs: None Repeat Finding: 2021-002 Systemic or Isolated: Systematic Criteria: States are prohibited from providing relief from charges to an employer?s unemployment compensation account when the benefit overpayments are the result of the employer?s failure to respond timely or adequately to a request for information. Condition: The Agency elected to relieve charges to an employer?s unemployment compensation account when the benefit payment was the result of the employer?s failure to respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for employers within the State. Cause: The Agency implemented an SQR to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers did not have their charges associated with Covid-19 claims relieved. Effect: Certain nonresponsive employers incorrectly had their unemployment compensation account charged for benefits during the Covid-19 Pandemic. The Agency?s policy to provide relief for employers during the Pandemic was not applied consistently to each employer. Recommendation: We recommend that the Agency review the logic of the SQR that was implemented to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic and review the benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine which employers were erroneously charged. Views of Responsible Officials: Management agrees with the finding. The Agency will review employer charging (SQR 36549), which is still in progress but has been delayed from the original anticipated completion date of September 30, 2022, due to conflicting prioritizations. The expected completion date is December 31, 2023.
FINDING 2022-064 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-003. Finding 2022-003 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity ? Overpayments Known Questioned Costs: None Repeat Finding: 2021-003 Systemic or Isolated: Systemic Criteria: Offsets of future unemployment compensation payments to recover prior overpayments are limited to the recovery of the prior overpayment amount in accordance with federal guidance. Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the original benefit overpayment were used to recover penalties and interest. Cause: Due to the continual movement of monies as a result of changes in amounts due resulting from corrections or appeal decisions, a parameter has not been established in the benefit system to account for every possible scenario to prevent the allocation of unapplied recoveries to penalties and interest after overpayment amounts due were satisfied. Effect: Interest and penalties due under federal and state law were recovered from offsets of unemployment compensation payments. Recommendation: We recommend that the Agency add a parameter to the automated system to ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment amounts. Views of Responsible Officials: Management agrees with the finding. The necessary parameter was previously implemented that prevented the inappropriate allocations on current and subsequent benefit payment recoveries; however, subsequent reallocations of monies under specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund Accounting section will perform a monthly review to confirm that no prior period adjustments reallocated recoupments to penalty and interest. The review to date has determined that the adjustment amounts are immaterial. An automated solution does not appear obtainable in the current system. The Agency is in the process of implementing a new automated system and will ensure these adjustments are programmed correctly. The expected completion date is December 31, 2025.
FINDING 2022-065 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Administration Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and AL Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: UI-32846-19-60-A-26 01/01/2019 ? 06/30/2021 UI-35951-21-60-A-26 01/01/2021 ? 09/30/2023 UI-37230-22-55-A-26 10/01/2021 ? 12/31/2024 UI-34722-20-55-A-26 04/01/2020 ? 06/30/2023 Type of Finding: Significant Deficiency and Noncompliance Compliance Requirement: Activities Allowed or Unallowed and Reporting Known Questioned Costs: None Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: Management is responsible for the fair presentation of the financial statements and schedule of expenditures of federal awards in accordance with generally accepted accounting principles, including proper classification and presentation of grant expenditure amounts, as well as accurate reporting of expenditures of federal grant awards on grant reports. Condition: Amounts charged to certain federal grants were not accurately determined or reported due to use of outdated ETA report information in the process of allocating certain expenditures among available federal grants. The total expenditures on the schedule of expenditures of federal awards was not impacted by this error. Cause: Management indicated the errors were due to use of outdated ETA 902P report data in the worksheet used to calculate the allocations of federal expenditures among available federal awards. This was due to revisions made to the ETA 902P reports for fiscal year 2022. The Fund did not have an adequate process in place to ensure an effective review was conducted of the allocation inputs. Effect: Adjustments to the schedule of expenditures of federal awards were required to correct the grant expenditure amounts reported, and certain grant expenditures were not reported correctly on grant reports. Absent effective procedures for properly allocating expenditures to available grants, there exists a potential for amounts to be charged to grants and reported in error and for misstatements in the financial statements and schedule of expenditures of federal awards to go undetected. Recommendation: We recommend management improve controls related to allocations of expenditures to available federal grants to ensure amounts are determined and reported in accordance with an appropriate and accurate allocation methodology. Views of Responsible Officials: The Michigan Department of Labor & Economic Opportunity (LEO) agrees with this finding and recommendation.
FINDING 2022-062 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance and Material Weakness Compliance Requirement: Allowable Costs/Cost Principles and Eligibility Known Questioned Costs: Undeterminable Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: The federal government set a prescribed claim progression and eligibility requirements for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for regular unemployment compensation, the claimant is ineligible for receiving benefits under the Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must exhaust all rights to benefits under the previous claim type within the progression to become eligible for the subsequent claim type. Condition: In certain instances, the benefit system allowed for the payment of benefits under the PUA, PEUC, and EB programs when claimants were eligible for regular unemployment compensation or prior to the exhaustion of the previous claim type within the progression. Cause: Proper controls were not set within the benefit system to ensure proper eligibility and claim progression. Effect: Payments of benefits under federal programs have no net effect on the net position of the Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under regular unemployment compensation reduce the net position of the Fund. Additionally, improper payments of benefits under federal programs create unallowed federal costs. Recommendation: We recommend that the Agency improve controls in the benefit system to ensure proper eligibility and claim progression. Views of Responsible Officials: Management agrees with the finding. Programming in currently in development to correct weeks paid and charged under one program which should have been paid and charged under a different program. A high priority focus is being given to weeks paid on PUA instead of EB and EB paid beyond the high unemployment period (HUP). Open SQRs to resolve this finding include: SQR 28182 ? Weeks Number; SQR 36521 ? Weeks Transfer Waivers; SQR 35565 ? EB WeeksDelta Correction; and SQR 35994 WeeksDelta Overpayment Waiver. The expected completion date is December 31, 2023.
FINDING 2022-063 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-002. Finding 2022-002 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Various Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments Known Questioned Costs: None Repeat Finding: 2021-002 Systemic or Isolated: Systematic Criteria: States are prohibited from providing relief from charges to an employer?s unemployment compensation account when the benefit overpayments are the result of the employer?s failure to respond timely or adequately to a request for information. Condition: The Agency elected to relieve charges to an employer?s unemployment compensation account when the benefit payment was the result of the employer?s failure to respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for employers within the State. Cause: The Agency implemented an SQR to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers did not have their charges associated with Covid-19 claims relieved. Effect: Certain nonresponsive employers incorrectly had their unemployment compensation account charged for benefits during the Covid-19 Pandemic. The Agency?s policy to provide relief for employers during the Pandemic was not applied consistently to each employer. Recommendation: We recommend that the Agency review the logic of the SQR that was implemented to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic and review the benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine which employers were erroneously charged. Views of Responsible Officials: Management agrees with the finding. The Agency will review employer charging (SQR 36549), which is still in progress but has been delayed from the original anticipated completion date of September 30, 2022, due to conflicting prioritizations. The expected completion date is December 31, 2023.
FINDING 2022-064 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-003. Finding 2022-003 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity ? Overpayments Known Questioned Costs: None Repeat Finding: 2021-003 Systemic or Isolated: Systemic Criteria: Offsets of future unemployment compensation payments to recover prior overpayments are limited to the recovery of the prior overpayment amount in accordance with federal guidance. Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the original benefit overpayment were used to recover penalties and interest. Cause: Due to the continual movement of monies as a result of changes in amounts due resulting from corrections or appeal decisions, a parameter has not been established in the benefit system to account for every possible scenario to prevent the allocation of unapplied recoveries to penalties and interest after overpayment amounts due were satisfied. Effect: Interest and penalties due under federal and state law were recovered from offsets of unemployment compensation payments. Recommendation: We recommend that the Agency add a parameter to the automated system to ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment amounts. Views of Responsible Officials: Management agrees with the finding. The necessary parameter was previously implemented that prevented the inappropriate allocations on current and subsequent benefit payment recoveries; however, subsequent reallocations of monies under specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund Accounting section will perform a monthly review to confirm that no prior period adjustments reallocated recoupments to penalty and interest. The review to date has determined that the adjustment amounts are immaterial. An automated solution does not appear obtainable in the current system. The Agency is in the process of implementing a new automated system and will ensure these adjustments are programmed correctly. The expected completion date is December 31, 2025.
FINDING 2022-065 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Administration Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and AL Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: UI-32846-19-60-A-26 01/01/2019 ? 06/30/2021 UI-35951-21-60-A-26 01/01/2021 ? 09/30/2023 UI-37230-22-55-A-26 10/01/2021 ? 12/31/2024 UI-34722-20-55-A-26 04/01/2020 ? 06/30/2023 Type of Finding: Significant Deficiency and Noncompliance Compliance Requirement: Activities Allowed or Unallowed and Reporting Known Questioned Costs: None Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: Management is responsible for the fair presentation of the financial statements and schedule of expenditures of federal awards in accordance with generally accepted accounting principles, including proper classification and presentation of grant expenditure amounts, as well as accurate reporting of expenditures of federal grant awards on grant reports. Condition: Amounts charged to certain federal grants were not accurately determined or reported due to use of outdated ETA report information in the process of allocating certain expenditures among available federal grants. The total expenditures on the schedule of expenditures of federal awards was not impacted by this error. Cause: Management indicated the errors were due to use of outdated ETA 902P report data in the worksheet used to calculate the allocations of federal expenditures among available federal awards. This was due to revisions made to the ETA 902P reports for fiscal year 2022. The Fund did not have an adequate process in place to ensure an effective review was conducted of the allocation inputs. Effect: Adjustments to the schedule of expenditures of federal awards were required to correct the grant expenditure amounts reported, and certain grant expenditures were not reported correctly on grant reports. Absent effective procedures for properly allocating expenditures to available grants, there exists a potential for amounts to be charged to grants and reported in error and for misstatements in the financial statements and schedule of expenditures of federal awards to go undetected. Recommendation: We recommend management improve controls related to allocations of expenditures to available federal grants to ensure amounts are determined and reported in accordance with an appropriate and accurate allocation methodology. Views of Responsible Officials: The Michigan Department of Labor & Economic Opportunity (LEO) agrees with this finding and recommendation.
FINDING 2022-062 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance and Material Weakness Compliance Requirement: Allowable Costs/Cost Principles and Eligibility Known Questioned Costs: Undeterminable Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: The federal government set a prescribed claim progression and eligibility requirements for federal programs resulting from the Coronavirus pandemic. If a claimant is eligible for regular unemployment compensation, the claimant is ineligible for receiving benefits under the Pandemic Unemployment Assistance (PUA), Pandemic Emergency Unemployment Compensation (PEUC), or Extended Benefits (EB) programs. In addition, claimants must exhaust all rights to benefits under the previous claim type within the progression to become eligible for the subsequent claim type. Condition: In certain instances, the benefit system allowed for the payment of benefits under the PUA, PEUC, and EB programs when claimants were eligible for regular unemployment compensation or prior to the exhaustion of the previous claim type within the progression. Cause: Proper controls were not set within the benefit system to ensure proper eligibility and claim progression. Effect: Payments of benefits under federal programs have no net effect on the net position of the Fund since the expenditure is offset by a reimbursing federal revenue, whereas payments under regular unemployment compensation reduce the net position of the Fund. Additionally, improper payments of benefits under federal programs create unallowed federal costs. Recommendation: We recommend that the Agency improve controls in the benefit system to ensure proper eligibility and claim progression. Views of Responsible Officials: Management agrees with the finding. Programming in currently in development to correct weeks paid and charged under one program which should have been paid and charged under a different program. A high priority focus is being given to weeks paid on PUA instead of EB and EB paid beyond the high unemployment period (HUP). Open SQRs to resolve this finding include: SQR 28182 ? Weeks Number; SQR 36521 ? Weeks Transfer Waivers; SQR 35565 ? EB WeeksDelta Correction; and SQR 35994 WeeksDelta Overpayment Waiver. The expected completion date is December 31, 2023.
FINDING 2022-063 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-002. Finding 2022-002 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Various Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity - Overpayments Known Questioned Costs: None Repeat Finding: 2021-002 Systemic or Isolated: Systematic Criteria: States are prohibited from providing relief from charges to an employer?s unemployment compensation account when the benefit overpayments are the result of the employer?s failure to respond timely or adequately to a request for information. Condition: The Agency elected to relieve charges to an employer?s unemployment compensation account when the benefit payment was the result of the employer?s failure to respond timely or adequately due to the Covid-19 Pandemic causing unforeseen difficulties for employers within the State. Cause: The Agency implemented an SQR to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic. However, there was an error in the logic of the SQR and certain employers did not have their charges associated with Covid-19 claims relieved. Effect: Certain nonresponsive employers incorrectly had their unemployment compensation account charged for benefits during the Covid-19 Pandemic. The Agency?s policy to provide relief for employers during the Pandemic was not applied consistently to each employer. Recommendation: We recommend that the Agency review the logic of the SQR that was implemented to credit the charges that would have typically been charged to the nonresponsive employer?s unemployment compensation account during the Covid-19 Pandemic and review the benefits that were charged to employer accounts throughout the Covid-19 Pandemic to determine which employers were erroneously charged. Views of Responsible Officials: Management agrees with the finding. The Agency will review employer charging (SQR 36549), which is still in progress but has been delayed from the original anticipated completion date of September 30, 2022, due to conflicting prioritizations. The expected completion date is December 31, 2023.
FINDING 2022-064 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Compensation Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-003. Finding 2022-003 Federal Agency, Program Title and ALN Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: Affects all grant awards included under ALN 17.225 on the Schedule of Expenditures of Federal Awards Type of Finding: Material Noncompliance Compliance Requirement: Special Tests and Provisions, UI Program Integrity ? Overpayments Known Questioned Costs: None Repeat Finding: 2021-003 Systemic or Isolated: Systemic Criteria: Offsets of future unemployment compensation payments to recover prior overpayments are limited to the recovery of the prior overpayment amount in accordance with federal guidance. Condition: Unapplied offset recoveries attributable to subsequent period adjustments to the original benefit overpayment were used to recover penalties and interest. Cause: Due to the continual movement of monies as a result of changes in amounts due resulting from corrections or appeal decisions, a parameter has not been established in the benefit system to account for every possible scenario to prevent the allocation of unapplied recoveries to penalties and interest after overpayment amounts due were satisfied. Effect: Interest and penalties due under federal and state law were recovered from offsets of unemployment compensation payments. Recommendation: We recommend that the Agency add a parameter to the automated system to ensure adjustments to benefit offsets are only applied to the recovery of prior overpayment amounts. Views of Responsible Officials: Management agrees with the finding. The necessary parameter was previously implemented that prevented the inappropriate allocations on current and subsequent benefit payment recoveries; however, subsequent reallocations of monies under specific circumstance caused prior recoupments to improperly reallocate. The Trust Fund Accounting section will perform a monthly review to confirm that no prior period adjustments reallocated recoupments to penalty and interest. The review to date has determined that the adjustment amounts are immaterial. An automated solution does not appear obtainable in the current system. The Agency is in the process of implementing a new automated system and will ensure these adjustments are programmed correctly. The expected completion date is December 31, 2025.
FINDING 2022-065 Unemployment Insurance, ALN 17.225 See Department of Labor and Economic Opportunity, Unemployment Insurance Agency - Unemployment Administration Fund, Report on Expenditure of Federal Awards, Year Ended September 30, 2022, Finding 2022-001. Finding 2022-001 Federal Agency, Program Title and AL Number: U.S. Department of Labor, Unemployment Insurance ? 17.225 Federal Award Identification Number and Year: UI-32846-19-60-A-26 01/01/2019 ? 06/30/2021 UI-35951-21-60-A-26 01/01/2021 ? 09/30/2023 UI-37230-22-55-A-26 10/01/2021 ? 12/31/2024 UI-34722-20-55-A-26 04/01/2020 ? 06/30/2023 Type of Finding: Significant Deficiency and Noncompliance Compliance Requirement: Activities Allowed or Unallowed and Reporting Known Questioned Costs: None Repeat Finding: 2021-001 Systemic or Isolated: Systemic Criteria: Management is responsible for the fair presentation of the financial statements and schedule of expenditures of federal awards in accordance with generally accepted accounting principles, including proper classification and presentation of grant expenditure amounts, as well as accurate reporting of expenditures of federal grant awards on grant reports. Condition: Amounts charged to certain federal grants were not accurately determined or reported due to use of outdated ETA report information in the process of allocating certain expenditures among available federal grants. The total expenditures on the schedule of expenditures of federal awards was not impacted by this error. Cause: Management indicated the errors were due to use of outdated ETA 902P report data in the worksheet used to calculate the allocations of federal expenditures among available federal awards. This was due to revisions made to the ETA 902P reports for fiscal year 2022. The Fund did not have an adequate process in place to ensure an effective review was conducted of the allocation inputs. Effect: Adjustments to the schedule of expenditures of federal awards were required to correct the grant expenditure amounts reported, and certain grant expenditures were not reported correctly on grant reports. Absent effective procedures for properly allocating expenditures to available grants, there exists a potential for amounts to be charged to grants and reported in error and for misstatements in the financial statements and schedule of expenditures of federal awards to go undetected. Recommendation: We recommend management improve controls related to allocations of expenditures to available federal grants to ensure amounts are determined and reported in accordance with an appropriate and accurate allocation methodology. Views of Responsible Officials: The Michigan Department of Labor & Economic Opportunity (LEO) agrees with this finding and recommendation.
FINDING 2022-039 Formula Grants for Rural Areas and Tribal Transit Program, ALN 20.509, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Subrecipient Monitoring - PTMS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over Public Transportation Management System (PTMS) users. Program subrecipients utilize PTMS to submit applications, operating assistance reports, payment requests, and inventory, such as vehicles, equipment, and facilities and renovations. Also, MDOT program staff utilize PTMS to manage subgrants and review and approve subrecipient payment requests. We noted: a. MDOT did not ensure it properly approved access for 2 of 7 sampled PTMS user accounts. b. MDOT did not review PTMS user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT informed us an oversight occurred due to employee turnover. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to PTMS. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over PTMS. Management Views MDOT agrees with the finding.
FINDING 2022-040 Formula Grants for Rural Areas and Tribal Transit Program, ALN 20.509, Subrecipient Monitoring - Subrecipient Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDOT did not ensure its review of subrecipient single audit* reports and issuance of management decisions were completed within six months of the Federal Audit Clearinghouse (FAC) acceptance date. MDOT's process is to begin its review of subrecipient single audits after all applicable audits are received. Therefore, it reviewed the 2020 and 2021 single audits in March 2022 and March and April 2023, respectively. We noted: a. For all 9 sampled 2020 single audits, MDOT's reviews were not timely and ranged between 72 and 229 days late. b. MDOT had not reviewed any of its subrecipient 2021 single audits as of September 30, 2022, which should have been reviewed between June 2022 and September 2022. In addition, MDOT did not issue management decision letters within six months of the FAC acceptance date for 3 subrecipient single audit reports. Each of these reports contained material weaknesses. Criteria Federal regulation 2 CFR 200.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 2 CFR 200.332(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 2 CFR 200.521 requires MDOT to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the FAC. Cause MDOT informed us an oversight occurred due to employee turnover and the need to update its procedures. Effect MDOT limited the State's assurance its subrecipients complied with grant requirements and implemented corrective action for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to MDOT's records. The federal grantor agency could issue sanctions or disallowance related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDOT ensure its review of subrecipient single audit reports and issuance of management decisions are completed within six months of the FAC acceptance date. Management Views MDOT agrees with the finding.
FINDING 2022-039 Formula Grants for Rural Areas and Tribal Transit Program, ALN 20.509, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Subrecipient Monitoring - PTMS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over Public Transportation Management System (PTMS) users. Program subrecipients utilize PTMS to submit applications, operating assistance reports, payment requests, and inventory, such as vehicles, equipment, and facilities and renovations. Also, MDOT program staff utilize PTMS to manage subgrants and review and approve subrecipient payment requests. We noted: a. MDOT did not ensure it properly approved access for 2 of 7 sampled PTMS user accounts. b. MDOT did not review PTMS user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT informed us an oversight occurred due to employee turnover. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to PTMS. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over PTMS. Management Views MDOT agrees with the finding.
FINDING 2022-040 Formula Grants for Rural Areas and Tribal Transit Program, ALN 20.509, Subrecipient Monitoring - Subrecipient Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDOT did not ensure its review of subrecipient single audit* reports and issuance of management decisions were completed within six months of the Federal Audit Clearinghouse (FAC) acceptance date. MDOT's process is to begin its review of subrecipient single audits after all applicable audits are received. Therefore, it reviewed the 2020 and 2021 single audits in March 2022 and March and April 2023, respectively. We noted: a. For all 9 sampled 2020 single audits, MDOT's reviews were not timely and ranged between 72 and 229 days late. b. MDOT had not reviewed any of its subrecipient 2021 single audits as of September 30, 2022, which should have been reviewed between June 2022 and September 2022. In addition, MDOT did not issue management decision letters within six months of the FAC acceptance date for 3 subrecipient single audit reports. Each of these reports contained material weaknesses. Criteria Federal regulation 2 CFR 200.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 2 CFR 200.332(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 2 CFR 200.521 requires MDOT to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the FAC. Cause MDOT informed us an oversight occurred due to employee turnover and the need to update its procedures. Effect MDOT limited the State's assurance its subrecipients complied with grant requirements and implemented corrective action for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to MDOT's records. The federal grantor agency could issue sanctions or disallowance related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDOT ensure its review of subrecipient single audit reports and issuance of management decisions are completed within six months of the FAC acceptance date. Management Views MDOT agrees with the finding.
FINDING 2022-001 Confidential Information in SIGMA* See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Military and Veterans Affairs (DMVA) and the Michigan Department of State Police (MSP) included user identification (ID) numbers, deemed confidential information by the Department of Technology, Management, and Budget (DTMB) policy, within document attachments when entering program expenditures in the Statewide Integrated Governmental Management Applications (SIGMA). Criteria Title 2, Part 200, section 303(e) of the Code of Federal Regulations* (CFR) requires the State to take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive or the State considers sensitive consistent with applicable federal, state, local, and tribal laws regarding privacy and obligations of confidentiality*. State of Michigan Administrative Guide to State Government policy 1340.00 states security* controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity*, and availability* of State of Michigan information. The policy also requires State agencies to identify and classify their information assets based on sensitivity, criticality, and risk. State of Michigan (SOM) Technical Standard 1340.00.150.02 provides a data classification framework, including examples of confidential and restricted data, to assist State agencies in protecting the confidentiality, integrity, and availability of their systems and information. DTMB Administrative Policy 900.01, last revised in November 2016, established a data classification framework for its information assets, which includes SIGMA. Also, the policy defines and provides examples of confidential data, such as user IDs. Cause SIGMA users were unaware of the DTMB policy identifying user ID as confidential information. When DTMB Administrative Policy 900.01 was originally drafted, user ID was included as an example since the data element could be considered confidential by an organization unit. Effect State employees without a business need had the ability to view confidential information in SIGMA. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend DMVA and MSP adhere to established DTMB policies for confidential information in SIGMA. Management Views DMVA and MSP disagree that confidential information was included in SIGMA. Follow-up with DTMB confirmed that user ID is not considered confidential data at the DTMB enterprise level. Auditor's Comments to Management Views* In June 2023, subsequent to our review, DTMB revised the DTMB Administrative Policy 900.01. These revisions do not negate that a significant deficiency existed in fiscal year 2022. Therefore, the finding stands as written.
FINDING 2022-002 SIGMA High-Risk Activity Monitoring See Schedule of Findings and Questioned Costs for chart/table. Condition DTMB did not sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. We noted DTMB did not perform the high-risk activity monitoring in a timely manner for all 6 sampled reports. DTMB provided evidence it reviewed the reports; however, on average, these reviews were completed 313 days after the reporting periods. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse. Cause DTMB informed us a lack of oversight prevented the timely review of high-risk activity reports, and it has since reassigned staff responsibilities accordingly. Effect Individuals may have made inappropriate bypass or override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists that DTMB did not identify inappropriate or high-risk activity associated with SIGMA transactions. Known Questioned Costs None. Recommendation We recommend DTMB sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. Management Views DTMB agrees with the finding.
FINDING 2022-011 MATT 2.0 Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan State Housing Development Authority (MSHDA) did not fully establish effective security management and access controls over the MSHDA Activity Tracking Tool (MATT) 2.0 users. Federal program subrecipients utilize MATT 2.0 to submit financial status reports and payment requests. Also, MSHDA program staff utilize MATT 2.0 to manage subgrants and review and approve subrecipient payment requests. We noted: a. MSHDA did not establish a process to review previously created active generic or test accounts not associated with a specific user. b. MSHDA did not review user access semiannually for privileged accounts or annually for all other accounts. c. MSHDA did not disable 2,973 (85%) of 3,503 MATT 2.0 user accounts that last logged in before fiscal year 2022. These users include 75 MSHDA employees, 5 other State employees, and 2,893 external partners. Also, 2,132 (72%) of these users had not logged in since access was granted. d. MSHDA did not maintain adequate documentation that a system access form was properly approved and documented prior to granting access for 1 (11%) of 9 sampled MATT 2.0 users. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to specify the authorized users for each account, accounts be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. Cause For parts a., b., and c., MSHDA informed us it is in the process of establishing controls over internal generic and test accounts and reviewing and disabling internal user accounts. Also, MSHDA believed its review should be limited to those users who do not use the portal. For part d., MSHDA informed us it is in the process of centralizing IT functions, and this is a training issue resulting because of a shift from a decentralized to a centralized IT approach. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MATT 2.0. As a result, an increased risk exists that MSHDA cannot ensure the security of the MATT 2.0 data used to issue payments to subrecipients of federal awards. Known Questioned Costs None. Recommendation We recommend MSHDA fully establish effective security management and access controls over MATT 2.0. Management Views MSHDA agrees with the finding.
FINDING 2022-012 MATT 2.0 Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MSHDA had not fully implemented its change management process over MATT 2.0 during fiscal year 2022. We sampled 17 MATT 2.0 change records and noted for 4 (24%) records, MSHDA did not document approvals prior to implementation of changes in the production environment. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the implementation in the production environment. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems by methods such as tracking and documenting system changes. Cause For 3 of the records, MSHDA informed us it followed its previous change management process prior to implementing a stricter change management process in November 2021, which includes requiring its electronically documented approval before any production changes can be made. For the remaining record, MSHDA was not able to provide documented support in accordance with its change management process effective November 2021. Effect Without a fully implemented change management process, individuals may make unauthorized or inappropriate changes to MATT 2.0. As a result, an increased risk exists that MSHDA cannot ensure MATT 2.0 is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MSHDA fully implement its change management process over MATT 2.0. Management Views MSHDA agrees with the finding.
FINDING 2022-011 MATT 2.0 Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan State Housing Development Authority (MSHDA) did not fully establish effective security management and access controls over the MSHDA Activity Tracking Tool (MATT) 2.0 users. Federal program subrecipients utilize MATT 2.0 to submit financial status reports and payment requests. Also, MSHDA program staff utilize MATT 2.0 to manage subgrants and review and approve subrecipient payment requests. We noted: a. MSHDA did not establish a process to review previously created active generic or test accounts not associated with a specific user. b. MSHDA did not review user access semiannually for privileged accounts or annually for all other accounts. c. MSHDA did not disable 2,973 (85%) of 3,503 MATT 2.0 user accounts that last logged in before fiscal year 2022. These users include 75 MSHDA employees, 5 other State employees, and 2,893 external partners. Also, 2,132 (72%) of these users had not logged in since access was granted. d. MSHDA did not maintain adequate documentation that a system access form was properly approved and documented prior to granting access for 1 (11%) of 9 sampled MATT 2.0 users. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to specify the authorized users for each account, accounts be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. Cause For parts a., b., and c., MSHDA informed us it is in the process of establishing controls over internal generic and test accounts and reviewing and disabling internal user accounts. Also, MSHDA believed its review should be limited to those users who do not use the portal. For part d., MSHDA informed us it is in the process of centralizing IT functions, and this is a training issue resulting because of a shift from a decentralized to a centralized IT approach. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MATT 2.0. As a result, an increased risk exists that MSHDA cannot ensure the security of the MATT 2.0 data used to issue payments to subrecipients of federal awards. Known Questioned Costs None. Recommendation We recommend MSHDA fully establish effective security management and access controls over MATT 2.0. Management Views MSHDA agrees with the finding.
FINDING 2022-012 MATT 2.0 Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MSHDA had not fully implemented its change management process over MATT 2.0 during fiscal year 2022. We sampled 17 MATT 2.0 change records and noted for 4 (24%) records, MSHDA did not document approvals prior to implementation of changes in the production environment. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the implementation in the production environment. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems by methods such as tracking and documenting system changes. Cause For 3 of the records, MSHDA informed us it followed its previous change management process prior to implementing a stricter change management process in November 2021, which includes requiring its electronically documented approval before any production changes can be made. For the remaining record, MSHDA was not able to provide documented support in accordance with its change management process effective November 2021. Effect Without a fully implemented change management process, individuals may make unauthorized or inappropriate changes to MATT 2.0. As a result, an increased risk exists that MSHDA cannot ensure MATT 2.0 is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MSHDA fully implement its change management process over MATT 2.0. Management Views MSHDA agrees with the finding.
FINDING 2022-041 Homeowner Assistance Fund, ALN 21.026, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Eligibility Determinations See Schedule of Findings and Questioned Costs for chart/table. Condition MSHDA did not obtain and maintain sufficient documentation to support the Homeowner Assistance Fund (HAF) applicants' eligibility was properly determined for 3 (12%) of 25 HAF assistance payments reviewed. We noted: a. For 1 (4%) applicant, sufficient documentation did not exist to support the applicant's eligibility. Contradictory information was provided by the applicant as to the hardship encountered from the COVID-19 pandemic. MSHDA did not detect this at the time of its review and, therefore, did not follow up with the applicant. b. For 1 (4%) applicant, MSHDA did not document the required income calculation to support the homeowner met the income eligibility requirement. We performed this calculation and determined the client was eligible for HAF assistance. c. For 1 (4%) applicant, MSHDA did not ensure its system checklist was completed prior to approving for eligibility. We determined this did not affect the applicant's eligibility. Criteria Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures that apply to both the federal award and other activities of the state. The HAF guidance requires homeowners to attest that they experienced financial hardship after January 21, 2020 associated with the coronavirus pandemic. A financial hardship is defined as a material reduction in income or a material increase in expenses. The attestation must describe the nature of the financial hardship. MSHDA's internal policy requires case managers to verify and calculate homeowner income during their determination of eligibility in the initial review of the application. Case managers must record their calculations within the activity log. Calculations are performed to determine annual income utilizing supporting documentation. In addition, case managers must use a system checklist to ensure all parts of the application have been reviewed prior to approving the homeowner's eligibility. Cause MSHDA informed us these errors resulted from employee oversight. Effect MSHDA may have provided assistance to ineligible applicants. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $9,129 - federal share. Recommendation We recommend MSHDA obtain and maintain sufficient documentation to support the HAF applicants' eligibility is properly determined. Management Views MSHDA agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-018 MDE, Subrecipient Monitoring - Subaward Information See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not report to its subrecipients all subaward information as required by the Uniform Guidance. We noted: a. MDE did not report one or more of the following for 4 (16%) of 25 sampled Supporting Effective Instruction State Grant subrecipients and 28 (47%) of 60 ESF subrecipients: unique entity identifier, FAIN, federal award date, federal award project description, name of federal awarding agency and pass-through entity, ALN, Assistance Listing Title, federal award dollar amount, identification of whether the award is research and development, indirect cost rate for the federal award, an approved federally recognized indirect cost rate for the subrecipient, and closeout terms and conditions. b. MDE did not report the correct FAIN or closeout terms and conditions for all 5 sampled Coronavirus State and Local Fiscal Recovery Funds subrecipients. Criteria Federal regulation 2 CFR 200.332(a) requires that all pass-through entities ensure that every subaward includes certain information. Cause For part a., MDE informed us MEGS+ is designed to automatically generate the grant award notifications upon approval of subaward applications; however, this function did not operate correctly in fiscal year 2022. For part b., MDE informed us because of an oversight, it did not always provide all required subaward information to subrecipients. Also, MDE believed it used the best available information at the time MDE developed and executed the subawards; however, our review of documentation noted MDE was provided the program's award identification prior to the executed subawards, but MDE staff did not appropriately communicate the information to applicable parties. Effect Subrecipients and their auditors may not be aware of the federal award information needed to ensure compliance with the federal requirements. We consider this to be a material weakness and material noncompliance for ESF because of the high error rate related to federal award information which was not disclosed to the subrecipient. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE report to its subrecipients all subaward information as required by the Uniform Guidance. Management Views MDE agrees with the finding
FINDING 2022-042 Education Stabilization Fund, ALN 84.425, Subrecipient Monitoring - During-the-Award Monitoring Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not complete sufficient during-the-award monitoring procedures in fiscal year 2022. MDE provided its subrecipients a two-year grant and notified its subrecipients in their grant award notification that a final expenditure report (FER) was due by August 29, 2022. As of September 30, 2022, MDE received 1,335 (78%) of 1,717 FERs for the two-year grant. In addition, MDE contracted with a vendor to conduct desk reviews of ESF subrecipients beginning in July 2022. We noted: a. MDE did not complete any reviews of the FERs submitted during fiscal year 2022. We determined subrecipients submitted 990 (58%) FERs by August 29, 2022. b. Neither MDE nor its contractor could provide documentation supporting the subrecipient desk reviews finalized and whether any corrective action was required or enforcement action was taken against noncompliant subrecipients during fiscal year 2022. Criteria Federal regulation 2 CFR 200.303 requires the nonfederal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. In addition, federal regulation 2 CFR 200.332(d) states that all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: ? Reviewing financial and performance reports required by the pass-through entity. ? Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward. Federal regulation 2 CFR 200.332(h) states that all pass-through entities must consider taking enforcement action against noncompliant subrecipients. MDE's grant award notifications required ESF subrecipients to submit a FER by August 29, 2022. MDE contracted for the completion of subrecipient desk reviews. Cause MDE elected to delay its review of FERs until all FERs were received. Also, because MDE's contracted desk reviews did not begin until July 2022, it was unable to finalize any individual subrecipient reviews by September 30, 2022. Effect MDE may not identify in a timely manner subrecipients that used funds for unauthorized purposes. We consider this to be a material weakness and material noncompliance because of lack of during-the-award monitoring activities. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE complete sufficient during-the-award monitoring of ESF subrecipients. Management Views For part a., MDE partially agrees with the finding. MDE acknowledges that it did not complete any reviews of the FERs submitted during fiscal year 2022. However, the Uniform Guidance does not specify a timeframe for the review of FERs for ESF funds and the ESF program is inherently more flexible than other federal programs in this regard. Although grant award notifications (GANs) originally required ESF subrecipients to submit a FER by August 29, 2022, MDE communicated to ESF subrecipients after the initial GANs that the August 29, 2022 due date was subject to change due to the continuously changing rules and requirements around this funding, including extension possibilities such as late liquidation. ESF FERs were due either within 60 days of full draw of the funds or within 60 days of the end of the award period, which could have been during the State's fiscal year 2022 or well after September 30, 2022. For this reason, under Uniform Guidance, MDE had the authority to delay the review of FERs until closer to the end date of the award. In the case of late liquidation, the U.S. Department of Education provided notification that extended the award period as far as 14 months beyond the original end date of the award. For part b., MDE partially agrees with the finding. MDE acknowledges that subrecipient desk reviews were not finalized; however, the majority of the subrecipient monitoring was complete. The Uniform Guidance does not specify a timeframe for ESF subrecipient monitoring to occur and no requirement or expectation was made that monitoring would be finalized by MDE management by September 30, 2022. While the MDE contractor was not tracking completion against the date of September 30, 2022, documentation was and is still available, upon request from the OAG, to demonstrate the substantial ongoing monitoring activities, such as desk reviews and review of amendments, as of the end of the State's fiscal year 2022. The Compliance Team was in regular contact with MDE throughout the monitoring process. The Compliance Team provided regular updates leading up to September 30, 2022 and shared comprehensive preliminary results with the department soon after September 30, 2022. Auditor's Comments to Management Views We determined, and MDE acknowledged, it did not complete any FER reviews or finalize any desk reviews as part of its during-the-award monitoring activities for the $1.8 billion provided to subrecipients in fiscal year 2022. In addition, the contractor acknowledged it did not have a tracking mechanism in place identifying when desk reviews were completed, consequently documentation did not exist to validate MDE's assertion that a majority of the subrecipient monitoring was complete. Federal regulation 2 CFR 200 Subpart F requires the SOM single audit be conducted annually in accordance with the State's fiscal year, which represents the period covered by the auditor's compliance opinion. Therefore, sufficient appropriate evidence must exist during the audit period to determine whether MDE complied with the subrecipient monitoring requirement identified as subject to audit in the OMB Compliance Supplement. Sufficient appropriate evidence did not exist in fiscal year 2022 to support compliance with federal regulation 2 CFR 200.332(d). Therefore, the finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-043 Aging Cluster, ALN 93.044, 93.045, and 93.053, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - AIS FIRST User Access See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully establish effective user access controls over Aging Information System (AIS) Financial Information Reporting System Technology (FIRST). AIS FIRST is utilized by Aging Cluster subrecipients to submit data, payment requests, and financial status reports to MDHHS. We noted MDHHS did not properly approve 3 of the 4 sampled users' application security agreements prior to granting access to AIS FIRST. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring that users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause MDHHS informed us that due to limited staff resources, the application security agreements did not contain a final approving signature. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to AIS FIRST. Known Questioned Costs None. Recommendation We recommend MDHHS fully establish effective user access controls over AIS FIRST. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-043 Aging Cluster, ALN 93.044, 93.045, and 93.053, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - AIS FIRST User Access See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully establish effective user access controls over Aging Information System (AIS) Financial Information Reporting System Technology (FIRST). AIS FIRST is utilized by Aging Cluster subrecipients to submit data, payment requests, and financial status reports to MDHHS. We noted MDHHS did not properly approve 3 of the 4 sampled users' application security agreements prior to granting access to AIS FIRST. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring that users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause MDHHS informed us that due to limited staff resources, the application security agreements did not contain a final approving signature. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to AIS FIRST. Known Questioned Costs None. Recommendation We recommend MDHHS fully establish effective user access controls over AIS FIRST. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-043 Aging Cluster, ALN 93.044, 93.045, and 93.053, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - AIS FIRST User Access See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully establish effective user access controls over Aging Information System (AIS) Financial Information Reporting System Technology (FIRST). AIS FIRST is utilized by Aging Cluster subrecipients to submit data, payment requests, and financial status reports to MDHHS. We noted MDHHS did not properly approve 3 of the 4 sampled users' application security agreements prior to granting access to AIS FIRST. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring that users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause MDHHS informed us that due to limited staff resources, the application security agreements did not contain a final approving signature. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to AIS FIRST. Known Questioned Costs None. Recommendation We recommend MDHHS fully establish effective user access controls over AIS FIRST. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-043 Aging Cluster, ALN 93.044, 93.045, and 93.053, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - AIS FIRST User Access See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully establish effective user access controls over Aging Information System (AIS) Financial Information Reporting System Technology (FIRST). AIS FIRST is utilized by Aging Cluster subrecipients to submit data, payment requests, and financial status reports to MDHHS. We noted MDHHS did not properly approve 3 of the 4 sampled users' application security agreements prior to granting access to AIS FIRST. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring that users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause MDHHS informed us that due to limited staff resources, the application security agreements did not contain a final approving signature. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to AIS FIRST. Known Questioned Costs None. Recommendation We recommend MDHHS fully establish effective user access controls over AIS FIRST. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-043 Aging Cluster, ALN 93.044, 93.045, and 93.053, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Subrecipient Monitoring - AIS FIRST User Access See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully establish effective user access controls over Aging Information System (AIS) Financial Information Reporting System Technology (FIRST). AIS FIRST is utilized by Aging Cluster subrecipients to submit data, payment requests, and financial status reports to MDHHS. We noted MDHHS did not properly approve 3 of the 4 sampled users' application security agreements prior to granting access to AIS FIRST. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires security controls be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring that users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause MDHHS informed us that due to limited staff resources, the application security agreements did not contain a final approving signature. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to AIS FIRST. Known Questioned Costs None. Recommendation We recommend MDHHS fully establish effective user access controls over AIS FIRST. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-044 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 6 (15%) of the 40 cases we reviewed. Our review disclosed: a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 3 (8%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services. b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 2 (5%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits. c. MDHHS did not maintain sufficient documentation to support the client's eligibility determination for 1 (3%) of 40 cases reviewed. We noted incomplete supporting documentation related to the client's categorical eligibility. Criteria Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider. Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan. Cause MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in the client's case record to support eligibility. Effect We consider this to be a material weakness and material noncompliance because MDE may have made payments on behalf of ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,688 - federal share. ? $707 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend that MDE and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements. Management Views MDHHS and MDE agree with the finding.
FINDING 2022-045 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Child Care Stabilization Grants See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not maintain documentation of its efforts to verify child care stabilization grant applications. For 3 (7%) of the 45 applications reviewed, MDE did not document and follow up differences between Bridges child eligibility data and the number of subsidy eligible children on the provider's application. MDE calculated provider grant amounts based on the number of children on the grant application which did not always agree with subsidy eligible children reported in Bridges, resulting in potential underpayments to the providers. Criteria The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers. Providers were required to complete separate online applications to receive child care stabilization grants in fall 2021, spring 2022, and summer 2022. MDE's written procedures required its administrative reviewer to edit the number of subsidy children on the application to match Bridges query data. Cause MDE informed us that because of an oversight, documentation was not maintained to support that it used the correct number of subsidy-eligible children when calculating a provider's grant amount. Effect MDE may have made inaccurate child care stabilization grant payments to child care providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE maintain documentation to support that it appropriately verifies child care stabilization grant applications. Management Views MDE agrees with the finding.
FINDING 2022-046 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements See Schedule of Findings and Questioned Costs for chart/table. Background In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2022, LARA was responsible for performing onsite inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period. Condition MDE and LARA did not perform timely inspections and maintain sufficient documentation to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 51 sampled licensed providers for the CCDF Cluster payments disclosed: a. LARA did not ensure timely annual on-site inspections for 7 (14%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection. b. LARA did not maintain documentation to support 1 renewal inspection. c. LARA did not maintain documentation to support it granted an extension when the license period had expired for 1 provider with a license renewed during fiscal year 2022. Criteria Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect under State, local, or tribal law requirements designed, implemented, and enforced to protect the health and safety of children and provides the minimum health and safety topics that must include training on and be applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards. Federal regulation 45 CFR 98.44 requires MDE to identify in its CCDF State Plan established requirements for pre-service or orientation training in the established health and safety standards and for ongoing professional development that maintains and updates the health and safety standards described in federal regulation 45 CFR 98.41. Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards. Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations. Cause LARA informed us limited resources impacted the timeliness of some inspections and the missing documentation was an oversight. Effect Child care providers may not have complied with all applicable health and safety requirements to receive CCDF Cluster funds resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $245 - federal share. ? $103 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend MDE and LARA perform timely inspections and maintain sufficient documentation to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments. Management Views MDE and LARA agree with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-044 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 6 (15%) of the 40 cases we reviewed. Our review disclosed: a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 3 (8%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services. b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 2 (5%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits. c. MDHHS did not maintain sufficient documentation to support the client's eligibility determination for 1 (3%) of 40 cases reviewed. We noted incomplete supporting documentation related to the client's categorical eligibility. Criteria Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider. Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan. Cause MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in the client's case record to support eligibility. Effect We consider this to be a material weakness and material noncompliance because MDE may have made payments on behalf of ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,688 - federal share. ? $707 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend that MDE and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements. Management Views MDHHS and MDE agree with the finding.
FINDING 2022-045 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Child Care Stabilization Grants See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not maintain documentation of its efforts to verify child care stabilization grant applications. For 3 (7%) of the 45 applications reviewed, MDE did not document and follow up differences between Bridges child eligibility data and the number of subsidy eligible children on the provider's application. MDE calculated provider grant amounts based on the number of children on the grant application which did not always agree with subsidy eligible children reported in Bridges, resulting in potential underpayments to the providers. Criteria The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers. Providers were required to complete separate online applications to receive child care stabilization grants in fall 2021, spring 2022, and summer 2022. MDE's written procedures required its administrative reviewer to edit the number of subsidy children on the application to match Bridges query data. Cause MDE informed us that because of an oversight, documentation was not maintained to support that it used the correct number of subsidy-eligible children when calculating a provider's grant amount. Effect MDE may have made inaccurate child care stabilization grant payments to child care providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE maintain documentation to support that it appropriately verifies child care stabilization grant applications. Management Views MDE agrees with the finding.
FINDING 2022-046 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements See Schedule of Findings and Questioned Costs for chart/table. Background In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2022, LARA was responsible for performing onsite inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period. Condition MDE and LARA did not perform timely inspections and maintain sufficient documentation to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 51 sampled licensed providers for the CCDF Cluster payments disclosed: a. LARA did not ensure timely annual on-site inspections for 7 (14%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection. b. LARA did not maintain documentation to support 1 renewal inspection. c. LARA did not maintain documentation to support it granted an extension when the license period had expired for 1 provider with a license renewed during fiscal year 2022. Criteria Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect under State, local, or tribal law requirements designed, implemented, and enforced to protect the health and safety of children and provides the minimum health and safety topics that must include training on and be applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards. Federal regulation 45 CFR 98.44 requires MDE to identify in its CCDF State Plan established requirements for pre-service or orientation training in the established health and safety standards and for ongoing professional development that maintains and updates the health and safety standards described in federal regulation 45 CFR 98.41. Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards. Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations. Cause LARA informed us limited resources impacted the timeliness of some inspections and the missing documentation was an oversight. Effect Child care providers may not have complied with all applicable health and safety requirements to receive CCDF Cluster funds resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $245 - federal share. ? $103 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend MDE and LARA perform timely inspections and maintain sufficient documentation to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments. Management Views MDE and LARA agree with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-044 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 6 (15%) of the 40 cases we reviewed. Our review disclosed: a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 3 (8%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services. b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 2 (5%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits. c. MDHHS did not maintain sufficient documentation to support the client's eligibility determination for 1 (3%) of 40 cases reviewed. We noted incomplete supporting documentation related to the client's categorical eligibility. Criteria Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider. Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan. Cause MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in the client's case record to support eligibility. Effect We consider this to be a material weakness and material noncompliance because MDE may have made payments on behalf of ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,688 - federal share. ? $707 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend that MDE and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements. Management Views MDHHS and MDE agree with the finding.
FINDING 2022-045 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Child Care Stabilization Grants See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not maintain documentation of its efforts to verify child care stabilization grant applications. For 3 (7%) of the 45 applications reviewed, MDE did not document and follow up differences between Bridges child eligibility data and the number of subsidy eligible children on the provider's application. MDE calculated provider grant amounts based on the number of children on the grant application which did not always agree with subsidy eligible children reported in Bridges, resulting in potential underpayments to the providers. Criteria The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers. Providers were required to complete separate online applications to receive child care stabilization grants in fall 2021, spring 2022, and summer 2022. MDE's written procedures required its administrative reviewer to edit the number of subsidy children on the application to match Bridges query data. Cause MDE informed us that because of an oversight, documentation was not maintained to support that it used the correct number of subsidy-eligible children when calculating a provider's grant amount. Effect MDE may have made inaccurate child care stabilization grant payments to child care providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE maintain documentation to support that it appropriately verifies child care stabilization grant applications. Management Views MDE agrees with the finding.
FINDING 2022-046 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements See Schedule of Findings and Questioned Costs for chart/table. Background In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2022, LARA was responsible for performing onsite inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period. Condition MDE and LARA did not perform timely inspections and maintain sufficient documentation to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 51 sampled licensed providers for the CCDF Cluster payments disclosed: a. LARA did not ensure timely annual on-site inspections for 7 (14%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection. b. LARA did not maintain documentation to support 1 renewal inspection. c. LARA did not maintain documentation to support it granted an extension when the license period had expired for 1 provider with a license renewed during fiscal year 2022. Criteria Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect under State, local, or tribal law requirements designed, implemented, and enforced to protect the health and safety of children and provides the minimum health and safety topics that must include training on and be applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards. Federal regulation 45 CFR 98.44 requires MDE to identify in its CCDF State Plan established requirements for pre-service or orientation training in the established health and safety standards and for ongoing professional development that maintains and updates the health and safety standards described in federal regulation 45 CFR 98.41. Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards. Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations. Cause LARA informed us limited resources impacted the timeliness of some inspections and the missing documentation was an oversight. Effect Child care providers may not have complied with all applicable health and safety requirements to receive CCDF Cluster funds resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $245 - federal share. ? $103 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend MDE and LARA perform timely inspections and maintain sufficient documentation to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments. Management Views MDE and LARA agree with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-044 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 6 (15%) of the 40 cases we reviewed. Our review disclosed: a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 3 (8%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services. b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 2 (5%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits. c. MDHHS did not maintain sufficient documentation to support the client's eligibility determination for 1 (3%) of 40 cases reviewed. We noted incomplete supporting documentation related to the client's categorical eligibility. Criteria Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider. Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan. Cause MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in the client's case record to support eligibility. Effect We consider this to be a material weakness and material noncompliance because MDE may have made payments on behalf of ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,688 - federal share. ? $707 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend that MDE and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements. Management Views MDHHS and MDE agree with the finding.
FINDING 2022-045 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Child Care Stabilization Grants See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not maintain documentation of its efforts to verify child care stabilization grant applications. For 3 (7%) of the 45 applications reviewed, MDE did not document and follow up differences between Bridges child eligibility data and the number of subsidy eligible children on the provider's application. MDE calculated provider grant amounts based on the number of children on the grant application which did not always agree with subsidy eligible children reported in Bridges, resulting in potential underpayments to the providers. Criteria The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers. Providers were required to complete separate online applications to receive child care stabilization grants in fall 2021, spring 2022, and summer 2022. MDE's written procedures required its administrative reviewer to edit the number of subsidy children on the application to match Bridges query data. Cause MDE informed us that because of an oversight, documentation was not maintained to support that it used the correct number of subsidy-eligible children when calculating a provider's grant amount. Effect MDE may have made inaccurate child care stabilization grant payments to child care providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE maintain documentation to support that it appropriately verifies child care stabilization grant applications. Management Views MDE agrees with the finding.
FINDING 2022-046 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements See Schedule of Findings and Questioned Costs for chart/table. Background In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2022, LARA was responsible for performing onsite inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period. Condition MDE and LARA did not perform timely inspections and maintain sufficient documentation to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 51 sampled licensed providers for the CCDF Cluster payments disclosed: a. LARA did not ensure timely annual on-site inspections for 7 (14%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection. b. LARA did not maintain documentation to support 1 renewal inspection. c. LARA did not maintain documentation to support it granted an extension when the license period had expired for 1 provider with a license renewed during fiscal year 2022. Criteria Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect under State, local, or tribal law requirements designed, implemented, and enforced to protect the health and safety of children and provides the minimum health and safety topics that must include training on and be applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards. Federal regulation 45 CFR 98.44 requires MDE to identify in its CCDF State Plan established requirements for pre-service or orientation training in the established health and safety standards and for ongoing professional development that maintains and updates the health and safety standards described in federal regulation 45 CFR 98.41. Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards. Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations. Cause LARA informed us limited resources impacted the timeliness of some inspections and the missing documentation was an oversight. Effect Child care providers may not have complied with all applicable health and safety requirements to receive CCDF Cluster funds resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $245 - federal share. ? $103 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend MDE and LARA perform timely inspections and maintain sufficient documentation to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments. Management Views MDE and LARA agree with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-013 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Education (MDE) did not fully establish effective security management and access controls over Michigan Electronic Grants System Plus (MEGS+); Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS); Michigan Nutrition Data (MiND); Next Generation Grant, Application and Cash Management System (NexSys); and Catamaran. We noted: a. MDE did not consistently follow its established policies and procedures over the granting of access to GEMS/MARS and NexSys. Our review disclosed: (1) MDE did not maintain documentation to support it approved the system role for 1 (3%) of 33 sampled GEMS/MARS users. Of the 33 forms reviewed, 18 forms related to replacing an existing user and we noted for 2 (11%) of these users MDE did not deactivate the existing users' accounts. (2) Of the 44 sampled NexSys forms reviewed, 17 forms related to replacing an existing user and we noted for 1 (6%) of these users MDE did not deactivate the existing users' accounts. In addition, MDE did not obtain proper approval prior to granting access for 1 (20%) of 5 sampled NexSys grant unit users. b. MDE did not review all privileged accounts on a semiannual basis for MEGS+ and NexSys. c. MDE did not review all non-privileged accounts on an annual basis for MEGS+, GEMS/MARS, MiND, and NexSys. d. MDE did not disable inactive MEGS+, GEMS/MARS, MiND, and Catamaran users who had not accessed the applications in over 60 days as of September 30, 2022 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts, and the information system to automatically disable inactive user accounts after 60 days. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause For part a., MDE informed us security administrators did not always follow established processes for granting and approving access. For part b., MDE informed us that because of an oversight, semiannual reviews were not documented and appropriate action was not taken when the semiannual reviews were not completed as requested. For part c., MDE informed us it performs annual reviews on a sample basis for MEGS+, GEMS/MARS, and MiND non-privileged accounts because of the volume of accounts. Also, MDE informed us it did not establish a process to perform annual reviews for NexSys non-privileged accounts. For part d., MDE informed us it does not deactivate users after 60 days of inactivity because many users do not regularly use the systems and the 60-day lockout would result in those users requesting reactivation to the systems. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over MEGS+, GEMS/MARS, MiND, NexSys, and Catamaran. Management Views MDE agrees with the finding.
FINDING 2022-014 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 29 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists that MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-016 MDE, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not have a process to ensure it submitted subaward information in accordance with the Federal Funding Accountability and Transparency Act (FFATA) of 2006 and federal guidance. MDE's process is to reopen and overwrite the previous month's report on the FFATA Subaward Reporting System (FSRS) instead of submitting a new report each month. We reviewed FSRS and MDE's FFATA documentation and could not determine if MDE timely reported subaward information for: a. All 22 sampled Supporting Effective Instruction State Grants subawards totaling $5,435,439. b. 32 (94%) of 34 sampled Education Stabilization Fund (ESF) subawards totaling $29,957,229. c. All 10 sampled CCDF Cluster subawards totaling $6,407,071. Criteria Federal regulation 2 CFR 170 implemented FFATA requirements for reporting subaward information and requires MDE to report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. The federal government maintains frequently asked questions providing guidance on the correct FFATA reporting process on its FSRS website. This guidance clarifies FFATA reporting should be completed monthly and reopening and resubmitting the same report to update for monthly changes over the life of the grant is incorrect and will make it difficult to track reported awards. Cause MDE informed us it overwrites FFATA reports on the FSRS website each month as needed to ensure each grant always reflects the current grant funds available for the recipient. As a result, historical data is unavailable in FSRS. Effect We were unable to determine if MDE grant information was available in a timely manner for public access through the federal website established to improve transparency of governmental spending. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE submit subaward information in accordance with FFATA and federal guidance. Management Views MDE agrees with the finding.
FINDING 2022-044 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Client Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDE and MDHHS did not ensure compliance with federal laws and regulations relating to client eligibility for CCDF Cluster child care payments for 6 (15%) of the 40 cases we reviewed. Our review disclosed: a. MDHHS case record documentation was inconsistent with client eligibility information entered in Bridges for 3 (8%) of 40 cases reviewed. For these cases, the authorized hours of care in Bridges exceeded the client's documented need for hours of child care services. b. MDHHS did not appropriately categorize the client's eligibility based on the supporting documentation in the case record for 2 (5%) of 40 cases reviewed. We determined this did not affect the client's eligibility for child care services or level of benefits. c. MDHHS did not maintain sufficient documentation to support the client's eligibility determination for 1 (3%) of 40 cases reviewed. We noted incomplete supporting documentation related to the client's categorical eligibility. Criteria Federal regulation 45 CFR 98.20 provides eligibility requirements for child care services and permits MDE to establish eligibility requirements in addition to those outlined in the section as long as the additional requirements are not in violation of the regulation. Federal regulation 45 CFR 98.16(i)(5) requires MDE identify additional eligibility requirements in its CCDF State Plan. MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides specific requirements for client, child, and provider eligibility. Also, CCDF program policy deems clients are either income eligible or categorically eligible if they participate in certain other programs such as Foster Care - Title IV. The client's income or categorical eligibility determines the client's level of benefits, and the child must be assigned to an eligible provider. Federal regulation 45 CFR 98.55 allows states to claim expenditures to be matched at the federal medical assistance percentage rate for allowable activities, as described in the approved state plan. In order to receive federal matching funds for a fiscal year, states must also expend an amount of nonfederal funds for child care activities in the state that is at least equal to the state's share of expenditures for the fiscal years 1994 or 1995 (whichever is greater) under Sections 402(g) and 402(i) of the federal Social Security Act as these sections were in effect before October 1, 1995, and the expenditures must be for allowable services or activities, as described in the approved state plan. Cause MDHHS informed us its internal control and monitoring activities were not sufficient to ensure MDHHS maintained or appropriately considered the required verification documentation in the client's case record to support eligibility. Effect We consider this to be a material weakness and material noncompliance because MDE may have made payments on behalf of ineligible clients and because of the overall high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,688 - federal share. ? $707 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend that MDE and MDHHS maintain sufficient documentation and ensure that Bridges appropriately reflects documentation to support client eligibility was determined in accordance with eligibility requirements. Management Views MDHHS and MDE agree with the finding.
FINDING 2022-045 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility - Child Care Stabilization Grants See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not maintain documentation of its efforts to verify child care stabilization grant applications. For 3 (7%) of the 45 applications reviewed, MDE did not document and follow up differences between Bridges child eligibility data and the number of subsidy eligible children on the provider's application. MDE calculated provider grant amounts based on the number of children on the grant application which did not always agree with subsidy eligible children reported in Bridges, resulting in potential underpayments to the providers. Criteria The American Relief Plan of 2021 requires states to make child care stabilization grants to qualified child care providers. Providers were required to complete separate online applications to receive child care stabilization grants in fall 2021, spring 2022, and summer 2022. MDE's written procedures required its administrative reviewer to edit the number of subsidy children on the application to match Bridges query data. Cause MDE informed us that because of an oversight, documentation was not maintained to support that it used the correct number of subsidy-eligible children when calculating a provider's grant amount. Effect MDE may have made inaccurate child care stabilization grant payments to child care providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDE maintain documentation to support that it appropriately verifies child care stabilization grant applications. Management Views MDE agrees with the finding.
FINDING 2022-046 CCDF Cluster, ALN 93.575 and 93.596, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; Matching, Level of Effort, and Earmarking; and Special Tests and Provisions - Provider Health and Safety Requirements See Schedule of Findings and Questioned Costs for chart/table. Background In accordance with the interagency agreement between MDE and the Department of Licensing and Regulatory Affairs (LARA) for fiscal year 2022, LARA was responsible for performing onsite inspections and licensing of child care providers. LARA completes on-site inspections to issue licenses, to renew licenses at the end of the license period, and to perform an interim inspection during the license period. Condition MDE and LARA did not perform timely inspections and maintain sufficient documentation to support child care providers met applicable health and safety requirements to be eligible for CCDF Cluster payments. Our review of 51 sampled licensed providers for the CCDF Cluster payments disclosed: a. LARA did not ensure timely annual on-site inspections for 7 (14%) licensed providers. We noted LARA performed the on-site inspections from 15 to 20 months after the last on-site inspection. b. LARA did not maintain documentation to support 1 renewal inspection. c. LARA did not maintain documentation to support it granted an extension when the license period had expired for 1 provider with a license renewed during fiscal year 2022. Criteria Federal regulation 45 CFR 98.41 states the lead agency (MDE) shall have in effect under State, local, or tribal law requirements designed, implemented, and enforced to protect the health and safety of children and provides the minimum health and safety topics that must include training on and be applicable to child care providers of services. The regulation also allows for MDE to include additional requirements determined to be necessary to promote child development and to protect children's health and safety as long as the additional requirements are not inconsistent with the parental choice safeguards. Federal regulation 45 CFR 98.44 requires MDE to identify in its CCDF State Plan established requirements for pre-service or orientation training in the established health and safety standards and for ongoing professional development that maintains and updates the health and safety standards described in federal regulation 45 CFR 98.41. Federal regulation 45 CFR 98.42(b)(2) states MDE shall certify in its CCDF State Plan it has monitoring policies and practices applicable to all child care providers eligible to deliver services for which assistance is provided under the CCDF Cluster. MDE must require inspections of licensed child care providers at licensure and not less than annually for compliance with all health and safety requirements described in federal regulation 45 CFR 98.41 and fire standards. Section 5 of MDE's CCDF State Plan for Federal Fiscal Years 2022-2024 provides the State's standards and monitoring processes to ensure providers meet health and safety requirements in the federal regulations. Cause LARA informed us limited resources impacted the timeliness of some inspections and the missing documentation was an oversight. Effect Child care providers may not have complied with all applicable health and safety requirements to receive CCDF Cluster funds resulting in potential improper payments to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $245 - federal share. ? $103 - State share of costs that MDE inappropriately used as matching. Recommendation We recommend MDE and LARA perform timely inspections and maintain sufficient documentation to support child care providers meet applicable health and safety requirements to be eligible for CCDF Cluster payments. Management Views MDE and LARA agree with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-047 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $5,774 for 15 (50%) of 30 payments sampled from a $1,390,653 population of beneficiary payments with no corresponding Medicaid coverage. Criteria Federal regulation 42 CFR 435.1002(b) indicates that federal funding is available only for services provided to eligible beneficiaries. Cause MDHHS informed us because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility. Effect MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs exceed $25,000. ? $5,103 - federal share of payments made to providers on behalf of ineligible beneficiaries. ? $671 - State share of payments made to providers on behalf of ineligible beneficiaries. Recommendation We recommend that MDHHS ensure that beneficiary eligibility is updated in CHAMPS. Management Views MDHHS agrees with the finding.
FINDING 2022-048 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not prevent or timely recover payments, totaling $324, for 2 (25%) of 8 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 135 allows payment for HHP services on the day a client is discharged from the hospital. Cause MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, the monthly hospitalization reports are not capturing all facility stays for home help clients. Effect MDHHS paid a total of $324 from October 1, 2021 through September 30, 2022 for sampled clients who did not qualify for the HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $232 - federal share of amounts paid for HHP services while sampled clients were hospitalized. ? $92 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-049 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Home Help Payment Oversight See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not review home help provider invoices for 4 (27%) of 15 sampled payments to individual providers, totaling $485, to help ensure home help payments were reflective of the services provided. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 requires individual providers to submit monthly invoices for reimbursement. Cause Although the Electronic Service Verifications (ESV) and Paper Service Verifications (PSV) collect information on completed services, prior to April 1, 2022 there was no automated review of the ESV information and there continues to be no automated review of the PSV information to determine if all services were provided before payment was issued. Effect MDHHS paid a total of $485 for services from October 1, 2021 through September 30, 2022 that were not supported by home help provider invoices for the sampled payments. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $348 - federal share. ? $137 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS review home help provider invoices to help ensure home help payments are reflective of the services provided. Management Views MDHHS agrees with the finding.
FINDING 2022-050 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $95,211 for 2,154 FFS claims for beneficiaries simultaneously enrolled in an MHP. Criteria According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award. Cause MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us that the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. Effect MDHHS made improper FFS practitioner payments of $95,211 from October 1, 2021 through September 30, 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $71,324 - federal share of improper payments made to providers from October 1, 2021 through September 30, 2022. ? $23,887 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend that MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster. Management Views MDHHS agrees with the finding.
FINDING 2022-051 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Special Tests and Provisions - MARIS General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security management over the Medicaid Audit Recovery and Investigation System (MARIS) database. MDHHS staff use MARIS to track and investigate complaints alleging Medicaid fraud, waste, and abuse. The MARIS database management system contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MARIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MARIS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security management over the MARIS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-047 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $5,774 for 15 (50%) of 30 payments sampled from a $1,390,653 population of beneficiary payments with no corresponding Medicaid coverage. Criteria Federal regulation 42 CFR 435.1002(b) indicates that federal funding is available only for services provided to eligible beneficiaries. Cause MDHHS informed us because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility. Effect MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs exceed $25,000. ? $5,103 - federal share of payments made to providers on behalf of ineligible beneficiaries. ? $671 - State share of payments made to providers on behalf of ineligible beneficiaries. Recommendation We recommend that MDHHS ensure that beneficiary eligibility is updated in CHAMPS. Management Views MDHHS agrees with the finding.
FINDING 2022-048 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not prevent or timely recover payments, totaling $324, for 2 (25%) of 8 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 135 allows payment for HHP services on the day a client is discharged from the hospital. Cause MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, the monthly hospitalization reports are not capturing all facility stays for home help clients. Effect MDHHS paid a total of $324 from October 1, 2021 through September 30, 2022 for sampled clients who did not qualify for the HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $232 - federal share of amounts paid for HHP services while sampled clients were hospitalized. ? $92 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-049 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Home Help Payment Oversight See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not review home help provider invoices for 4 (27%) of 15 sampled payments to individual providers, totaling $485, to help ensure home help payments were reflective of the services provided. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 requires individual providers to submit monthly invoices for reimbursement. Cause Although the Electronic Service Verifications (ESV) and Paper Service Verifications (PSV) collect information on completed services, prior to April 1, 2022 there was no automated review of the ESV information and there continues to be no automated review of the PSV information to determine if all services were provided before payment was issued. Effect MDHHS paid a total of $485 for services from October 1, 2021 through September 30, 2022 that were not supported by home help provider invoices for the sampled payments. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $348 - federal share. ? $137 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS review home help provider invoices to help ensure home help payments are reflective of the services provided. Management Views MDHHS agrees with the finding.
FINDING 2022-050 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $95,211 for 2,154 FFS claims for beneficiaries simultaneously enrolled in an MHP. Criteria According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award. Cause MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us that the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. Effect MDHHS made improper FFS practitioner payments of $95,211 from October 1, 2021 through September 30, 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $71,324 - federal share of improper payments made to providers from October 1, 2021 through September 30, 2022. ? $23,887 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend that MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster. Management Views MDHHS agrees with the finding.
FINDING 2022-051 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Special Tests and Provisions - MARIS General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security management over the Medicaid Audit Recovery and Investigation System (MARIS) database. MDHHS staff use MARIS to track and investigate complaints alleging Medicaid fraud, waste, and abuse. The MARIS database management system contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MARIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MARIS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security management over the MARIS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-047 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $5,774 for 15 (50%) of 30 payments sampled from a $1,390,653 population of beneficiary payments with no corresponding Medicaid coverage. Criteria Federal regulation 42 CFR 435.1002(b) indicates that federal funding is available only for services provided to eligible beneficiaries. Cause MDHHS informed us because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility. Effect MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs exceed $25,000. ? $5,103 - federal share of payments made to providers on behalf of ineligible beneficiaries. ? $671 - State share of payments made to providers on behalf of ineligible beneficiaries. Recommendation We recommend that MDHHS ensure that beneficiary eligibility is updated in CHAMPS. Management Views MDHHS agrees with the finding.
FINDING 2022-048 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not prevent or timely recover payments, totaling $324, for 2 (25%) of 8 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 135 allows payment for HHP services on the day a client is discharged from the hospital. Cause MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, the monthly hospitalization reports are not capturing all facility stays for home help clients. Effect MDHHS paid a total of $324 from October 1, 2021 through September 30, 2022 for sampled clients who did not qualify for the HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $232 - federal share of amounts paid for HHP services while sampled clients were hospitalized. ? $92 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-049 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Home Help Payment Oversight See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not review home help provider invoices for 4 (27%) of 15 sampled payments to individual providers, totaling $485, to help ensure home help payments were reflective of the services provided. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 requires individual providers to submit monthly invoices for reimbursement. Cause Although the Electronic Service Verifications (ESV) and Paper Service Verifications (PSV) collect information on completed services, prior to April 1, 2022 there was no automated review of the ESV information and there continues to be no automated review of the PSV information to determine if all services were provided before payment was issued. Effect MDHHS paid a total of $485 for services from October 1, 2021 through September 30, 2022 that were not supported by home help provider invoices for the sampled payments. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $348 - federal share. ? $137 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS review home help provider invoices to help ensure home help payments are reflective of the services provided. Management Views MDHHS agrees with the finding.
FINDING 2022-050 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $95,211 for 2,154 FFS claims for beneficiaries simultaneously enrolled in an MHP. Criteria According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award. Cause MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us that the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. Effect MDHHS made improper FFS practitioner payments of $95,211 from October 1, 2021 through September 30, 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $71,324 - federal share of improper payments made to providers from October 1, 2021 through September 30, 2022. ? $23,887 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend that MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster. Management Views MDHHS agrees with the finding.
FINDING 2022-051 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Special Tests and Provisions - MARIS General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security management over the Medicaid Audit Recovery and Investigation System (MARIS) database. MDHHS staff use MARIS to track and investigate complaints alleging Medicaid fraud, waste, and abuse. The MARIS database management system contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MARIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MARIS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security management over the MARIS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-047 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $5,774 for 15 (50%) of 30 payments sampled from a $1,390,653 population of beneficiary payments with no corresponding Medicaid coverage. Criteria Federal regulation 42 CFR 435.1002(b) indicates that federal funding is available only for services provided to eligible beneficiaries. Cause MDHHS informed us because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility. Effect MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs exceed $25,000. ? $5,103 - federal share of payments made to providers on behalf of ineligible beneficiaries. ? $671 - State share of payments made to providers on behalf of ineligible beneficiaries. Recommendation We recommend that MDHHS ensure that beneficiary eligibility is updated in CHAMPS. Management Views MDHHS agrees with the finding.
FINDING 2022-048 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not prevent or timely recover payments, totaling $324, for 2 (25%) of 8 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 135 allows payment for HHP services on the day a client is discharged from the hospital. Cause MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, the monthly hospitalization reports are not capturing all facility stays for home help clients. Effect MDHHS paid a total of $324 from October 1, 2021 through September 30, 2022 for sampled clients who did not qualify for the HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $232 - federal share of amounts paid for HHP services while sampled clients were hospitalized. ? $92 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-049 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Home Help Payment Oversight See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not review home help provider invoices for 4 (27%) of 15 sampled payments to individual providers, totaling $485, to help ensure home help payments were reflective of the services provided. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 requires individual providers to submit monthly invoices for reimbursement. Cause Although the Electronic Service Verifications (ESV) and Paper Service Verifications (PSV) collect information on completed services, prior to April 1, 2022 there was no automated review of the ESV information and there continues to be no automated review of the PSV information to determine if all services were provided before payment was issued. Effect MDHHS paid a total of $485 for services from October 1, 2021 through September 30, 2022 that were not supported by home help provider invoices for the sampled payments. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $348 - federal share. ? $137 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS review home help provider invoices to help ensure home help payments are reflective of the services provided. Management Views MDHHS agrees with the finding.
FINDING 2022-050 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Allowable Costs/Cost Principles and Matching, Level of Effort, and Earmarking - Practitioner Reimbursement See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure proper payment of practitioner fee-for-service (FFS) claims. We noted MDHHS paid $95,211 for 2,154 FFS claims for beneficiaries simultaneously enrolled in an MHP. Criteria According to its Medicaid State Plan, MDHHS provides coverage of practitioner services for eligible Medicaid beneficiaries. Also, MDHHS's policy contained in its Medicaid Provider Manual establishes limitations, restrictions, and other requirements that must be met in order for MDHHS to reimburse Medicaid practitioner FFS claims. In addition, Subpart E of federal regulation 45 CFR 75 requires costs conform to any limitations, exclusions, or conditions and be consistent with policies that apply to the federal award. Cause MDHHS stated eligibility and enrollment are not static, and CHAMPS is not the system of record for eligibility. CHAMPS must make payments to FFS providers and managed care entities based upon the eligibility and enrollment in the system at the time the payment is made. MDHHS informed us that the primary remaining sources for overlaps between FFS and capitation payments are due to retroactive removal of Medicaid eligibility. Effect MDHHS made improper FFS practitioner payments of $95,211 from October 1, 2021 through September 30, 2022. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $71,324 - federal share of improper payments made to providers from October 1, 2021 through September 30, 2022. ? $23,887 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend that MDHHS ensure proper payment of practitioner FFS claims for the Medicaid Cluster. Management Views MDHHS agrees with the finding.
FINDING 2022-051 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Special Tests and Provisions - MARIS General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security management over the Medicaid Audit Recovery and Investigation System (MARIS) database. MDHHS staff use MARIS to track and investigate complaints alleging Medicaid fraud, waste, and abuse. The MARIS database management system contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MARIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MARIS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security management over the MARIS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-052 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Michigan Care Improvement Registry (MCIR) database. MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children (VFC) program. The MCIR database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MCIR. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MCIR and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the MCIR database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-053 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure compliance site visits for providers enrolled in the VFC program were conducted in accordance with federal guidelines. We noted: a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 16 (40%) of 40 sampled providers. For the 16 providers, the compliance visits were late between 1.8 months and 1.5 years, averaging 9.2 months. b. MDHHS did not conduct a compliance site visit at least once every 24 months for 12 (30%) of 40 sampled providers. For the 12 providers, the compliance visits were not complete as of September 30, 2022 and were overdue between 9.2 months and 3.9 years, averaging 1.5 years. c. MDHHS did not conduct site visits for over 70% of VFC providers during fiscal year 2022, instead MDHHS completed site visits for only 43% of providers. Criteria Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2021 and July 2022 Operations Guides state awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months. In addition, the CDC's approval of MDHHS's monitoring program includes conducting annual site visits to over 70% of VFC provider clinic sites each year. Because of the COVID-19 pandemic, the CDC provided separate guidance noting hybrid (virtual plus in person) compliance site visits could be conducted to reduce the amount of time reviewers needed to spend physically on site at the provider and in August 2020 permitted, for a limited time, virtual only site visits as an alternative to in-person or hybrid site visits. The CDC also issued frequently asked questions providing clarification for the virtual and hybrid options. These frequently asked questions encouraged awardees to resume traditional in-person site visits as soon as local pandemic conditions and travel restrictions allow. Cause MDHHS resumed conducting regular site visits for a limited number of providers during fiscal year 2022. Also, MDHHS informed us it did not conduct provider compliance site visits for all providers because the CDC allowed jurisdictions to temporarily suspend site visits during the COVID-19 pandemic; however, the CDC did not update its Operations Guide to allow for a temporary suspension of the required site visits and COVID-19 guidance indicates awardees should still attempt to schedule virtual site visits with VFC providers. Effect We consider this to be a material weakness and material noncompliance because MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes and because of the high error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted. Management Views MDHHS disagrees with the finding. Site visits were not conducted for all Vaccines for Children providers during the review period because the Centers for Disease Control and Prevention (CDC) allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic. MDHHS reached out to the CDC for clarification on conducting site visits and was informed that site visit activities may be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. Information supporting this decision was provided to the audit team. Auditor's Comments to Management Views While the CDC communicated that a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to complete these required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance. Therefore, the finding stands as written.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-052 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Michigan Care Improvement Registry (MCIR) database. MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children (VFC) program. The MCIR database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MCIR. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MCIR and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the MCIR database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-053 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure compliance site visits for providers enrolled in the VFC program were conducted in accordance with federal guidelines. We noted: a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 16 (40%) of 40 sampled providers. For the 16 providers, the compliance visits were late between 1.8 months and 1.5 years, averaging 9.2 months. b. MDHHS did not conduct a compliance site visit at least once every 24 months for 12 (30%) of 40 sampled providers. For the 12 providers, the compliance visits were not complete as of September 30, 2022 and were overdue between 9.2 months and 3.9 years, averaging 1.5 years. c. MDHHS did not conduct site visits for over 70% of VFC providers during fiscal year 2022, instead MDHHS completed site visits for only 43% of providers. Criteria Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2021 and July 2022 Operations Guides state awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months. In addition, the CDC's approval of MDHHS's monitoring program includes conducting annual site visits to over 70% of VFC provider clinic sites each year. Because of the COVID-19 pandemic, the CDC provided separate guidance noting hybrid (virtual plus in person) compliance site visits could be conducted to reduce the amount of time reviewers needed to spend physically on site at the provider and in August 2020 permitted, for a limited time, virtual only site visits as an alternative to in-person or hybrid site visits. The CDC also issued frequently asked questions providing clarification for the virtual and hybrid options. These frequently asked questions encouraged awardees to resume traditional in-person site visits as soon as local pandemic conditions and travel restrictions allow. Cause MDHHS resumed conducting regular site visits for a limited number of providers during fiscal year 2022. Also, MDHHS informed us it did not conduct provider compliance site visits for all providers because the CDC allowed jurisdictions to temporarily suspend site visits during the COVID-19 pandemic; however, the CDC did not update its Operations Guide to allow for a temporary suspension of the required site visits and COVID-19 guidance indicates awardees should still attempt to schedule virtual site visits with VFC providers. Effect We consider this to be a material weakness and material noncompliance because MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes and because of the high error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted. Management Views MDHHS disagrees with the finding. Site visits were not conducted for all Vaccines for Children providers during the review period because the Centers for Disease Control and Prevention (CDC) allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic. MDHHS reached out to the CDC for clarification on conducting site visits and was informed that site visit activities may be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. Information supporting this decision was provided to the audit team. Auditor's Comments to Management Views While the CDC communicated that a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to complete these required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance. Therefore, the finding stands as written.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-052 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - MCIR General Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Michigan Care Improvement Registry (MCIR) database. MCIR serves as the central registry for immunization records in the State, as well as the vaccine inventory management system for providers enrolled in the Vaccines for Children (VFC) program. The MCIR database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to MCIR. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of MCIR and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the MCIR database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-053 Immunization Cooperative Agreements, ALN 93.268, Special Tests and Provisions - Control, Accountability, and Safeguarding of Vaccine and Record of Immunization See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure compliance site visits for providers enrolled in the VFC program were conducted in accordance with federal guidelines. We noted: a. MDHHS did not timely conduct a compliance site visit at least once every 24 months for 16 (40%) of 40 sampled providers. For the 16 providers, the compliance visits were late between 1.8 months and 1.5 years, averaging 9.2 months. b. MDHHS did not conduct a compliance site visit at least once every 24 months for 12 (30%) of 40 sampled providers. For the 12 providers, the compliance visits were not complete as of September 30, 2022 and were overdue between 9.2 months and 3.9 years, averaging 1.5 years. c. MDHHS did not conduct site visits for over 70% of VFC providers during fiscal year 2022, instead MDHHS completed site visits for only 43% of providers. Criteria Federal law 42 USC 1396s requires vaccines to be adequately safeguarded and used solely for authorized purposes. The HHS's Centers for Disease Control and Prevention's (CDC's) Vaccines for Children July 2021 and July 2022 Operations Guides state awardees must conduct and record VFC compliance site visits, covering areas of provider details, eligibility, documentation, storage and handling, and inventory management with each VFC provider every 24 months. In addition, the CDC's approval of MDHHS's monitoring program includes conducting annual site visits to over 70% of VFC provider clinic sites each year. Because of the COVID-19 pandemic, the CDC provided separate guidance noting hybrid (virtual plus in person) compliance site visits could be conducted to reduce the amount of time reviewers needed to spend physically on site at the provider and in August 2020 permitted, for a limited time, virtual only site visits as an alternative to in-person or hybrid site visits. The CDC also issued frequently asked questions providing clarification for the virtual and hybrid options. These frequently asked questions encouraged awardees to resume traditional in-person site visits as soon as local pandemic conditions and travel restrictions allow. Cause MDHHS resumed conducting regular site visits for a limited number of providers during fiscal year 2022. Also, MDHHS informed us it did not conduct provider compliance site visits for all providers because the CDC allowed jurisdictions to temporarily suspend site visits during the COVID-19 pandemic; however, the CDC did not update its Operations Guide to allow for a temporary suspension of the required site visits and COVID-19 guidance indicates awardees should still attempt to schedule virtual site visits with VFC providers. Effect We consider this to be a material weakness and material noncompliance because MDHHS could not ensure VFC providers adequately safeguarded and used vaccines solely for authorized purposes and because of the high error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure required compliance site visits for providers enrolled in the VFC program are conducted. Management Views MDHHS disagrees with the finding. Site visits were not conducted for all Vaccines for Children providers during the review period because the Centers for Disease Control and Prevention (CDC) allowed jurisdictions to temporarily suspend these visits during the COVID-19 pandemic. MDHHS reached out to the CDC for clarification on conducting site visits and was informed that site visit activities may be suspended based on COVID-19 activity in MDHHS's jurisdiction and capacity within MDHHS's organization. Information supporting this decision was provided to the audit team. Auditor's Comments to Management Views While the CDC communicated that a temporary suspension was permissible, the CDC compliance site visit requirement did not change. Also, the special tests and provisions compliance requirements for Control, Accountability, and Safeguarding of Vaccine and Record of Immunization were subject to audit according to OMB Compliance Supplement. As the federal grantor agency, the CDC has discretion as to whether penalties will be assessed for noncompliance. However, neither this nor MDHHS's capacity to complete these required site visits alleviates our responsibility to report noncompliance under the Uniform Guidance. Therefore, the finding stands as written.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-026 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC), ALN 93.323 and Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036 - Long-Term Care (LTC) Facility COVID-19 Testing Reimbursements See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation to demonstrate a process was in place to ensure long-term care (LTC) facility COVID-19 testing reimbursement requests, totaling $48.5 million ($46.4 million Disaster Grants - Public Assistance (Presidentially Declared Disasters) and $2.1 million ELC), were reasonable and appropriate. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over the federal award that provides reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulations 2 CFR 200 and 5 CFR 75 require costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause MDHHS believed its process was sufficient to ensure requests were reasonable and appropriate. However, the documentation provided did not substantiate the procedures completed. Effect MDHHS could not demonstrate the costs complied with the applicable federal regulations ensuring reasonableness of the amounts requested. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS maintain sufficient documentation to demonstrate its process to ensure LTC facility COVID-19 testing reimbursement requests are reasonable and appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-026 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC), ALN 93.323 and Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036 - Long-Term Care (LTC) Facility COVID-19 Testing Reimbursements See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation to demonstrate a process was in place to ensure long-term care (LTC) facility COVID-19 testing reimbursement requests, totaling $48.5 million ($46.4 million Disaster Grants - Public Assistance (Presidentially Declared Disasters) and $2.1 million ELC), were reasonable and appropriate. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over the federal award that provides reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulations 2 CFR 200 and 5 CFR 75 require costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause MDHHS believed its process was sufficient to ensure requests were reasonable and appropriate. However, the documentation provided did not substantiate the procedures completed. Effect MDHHS could not demonstrate the costs complied with the applicable federal regulations ensuring reasonableness of the amounts requested. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS maintain sufficient documentation to demonstrate its process to ensure LTC facility COVID-19 testing reimbursement requests are reasonable and appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-010 MARS User Access See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted: a. LEO did not review MARS user access semiannually for privileged accounts or annually for all other accounts. b. LEO did not disable 83 (44%) of 189 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2022. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts and the information system to automatically disable inactive user accounts after 60 days. Cause LEO informed us that because of staffing limitations, some processes could not be followed or established. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients* of federal awards. Known Questioned Costs None. Recommendation We recommend LEO fully establish effective user access controls over MARS. Management Views LEO agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-054 Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Non-Financial Eligibility Documentation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain or maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. We noted the client's case records did not include the following: a. Documentation to support completion of the Family Self-Sufficiency Plan, verifications to support the relationship of the child to the adult on the case record, records to support children older than 6 were attending school full time, and inquiry regarding parole violations for 6 (30%) of 20 sampled TANF-funded Family Independence Program (FIP) payments. b. Completed applications, support for timely completion of the Family Automated Screening Tool, verifications to support the relationship of the child to the adult on the case record, and records to support children older than 6 were attending school full time for 2 (29%) of 7 sampled TANF-COVID-19 funded clothing allowance payments for eligible children receiving FIP or ineligible for FIP due to receiving Supplemental Security Income during September 2022. Criteria Federal regulation 45 CFR 260.20 requires a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires MDHHS to maintain records to support eligibility, including facts to support the client's need for assistance. MDHHS's policies and procedures require documentation used to verify eligibility be maintained in the case file. Also, federal law 42 USC 608(a)(9)(A) states that a state may not provide assistance to any individual who is violating a condition of probation or parole imposed under federal or State law. Further, Public Act 166 of 2022 required MDHHS to allocate an annual clothing allowance to all eligible children in a FIP group. In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures that apply to both the federal award and other activities of the state. Cause For part a., MDHHS informed us its controls were not sufficient to ensure that all of the required verification documentation was appropriately maintained in the client's case record. For part b., MDHHS informed us that because these families received FIP benefits during September 2022, they were eligible for the COVID-19 clothing allowance. However, our review disclosed the two case records did not support FIP eligibility for September 2022. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments to ineligible recipients and because of the high error rates noted. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $8,368 - federal share. ? $56 - State share of costs MDHHS inappropriately used as State maintenance of effort. Recommendation We recommend MDHHS obtain and maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. Management Views MDHHS agrees with the finding.
FINDING 2022-055 Temporary Assistance for Needy Families, ALN 93.558, Reporting - Accuracy of Financial Reports See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not submit accurate financial reports to HHS's Administration for Children and Families (ACF). Our review of the fiscal year 2022 fourth quarter TANF financial report (ACF-196R) noted MDHHS excluded $23.1 million in federal expenditures incurred by LEO. Also, MDHHS inappropriately included these expenditures in its fiscal year 2023 first quarter financial report instead of submitting a corrected fiscal year 2022 financial report for the quarter ended September 30, 2022. Criteria Federal regulation 2 CFR 200.302(b)(2) requires grantees to submit accurate financial data in accordance with a grant program's reporting requirements. The reporting instructions include details for reporting expenditures made in the federal fiscal year for the grant year being reported. The instructions also state revisions to expenditures reported in prior years should be made to the report of the fiscal year in which the expenditure occurred. Cause MDHHS informed us its internal control approval process was not timely and resulted in excluding LEO's fourth quarter interagency billing from the 2022 financial report. Effect MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of TANF funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS improve its internal control and submit revised financial reports to ACF. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-010 MARS User Access See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Labor and Economic Opportunity (LEO) did not fully establish effective user access controls over the Management of Awards to Recipients System (MARS). Michigan Works! Agencies used MARS to request reimbursement, report expenditures, and view financial data related to employment, education, and training services provided to clients. We noted: a. LEO did not review MARS user access semiannually for privileged accounts or annually for all other accounts. b. LEO did not disable 83 (44%) of 189 active MARS user accounts that had not accessed the application in over 60 days as of September 30, 2022. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts and the information system to automatically disable inactive user accounts after 60 days. Cause LEO informed us that because of staffing limitations, some processes could not be followed or established. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MARS. As a result, an increased risk exists that LEO cannot ensure the security of the MARS application and data used to issue payments to subrecipients* of federal awards. Known Questioned Costs None. Recommendation We recommend LEO fully establish effective user access controls over MARS. Management Views LEO agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-054 Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Non-Financial Eligibility Documentation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain or maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. We noted the client's case records did not include the following: a. Documentation to support completion of the Family Self-Sufficiency Plan, verifications to support the relationship of the child to the adult on the case record, records to support children older than 6 were attending school full time, and inquiry regarding parole violations for 6 (30%) of 20 sampled TANF-funded Family Independence Program (FIP) payments. b. Completed applications, support for timely completion of the Family Automated Screening Tool, verifications to support the relationship of the child to the adult on the case record, and records to support children older than 6 were attending school full time for 2 (29%) of 7 sampled TANF-COVID-19 funded clothing allowance payments for eligible children receiving FIP or ineligible for FIP due to receiving Supplemental Security Income during September 2022. Criteria Federal regulation 45 CFR 260.20 requires a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires MDHHS to maintain records to support eligibility, including facts to support the client's need for assistance. MDHHS's policies and procedures require documentation used to verify eligibility be maintained in the case file. Also, federal law 42 USC 608(a)(9)(A) states that a state may not provide assistance to any individual who is violating a condition of probation or parole imposed under federal or State law. Further, Public Act 166 of 2022 required MDHHS to allocate an annual clothing allowance to all eligible children in a FIP group. In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures that apply to both the federal award and other activities of the state. Cause For part a., MDHHS informed us its controls were not sufficient to ensure that all of the required verification documentation was appropriately maintained in the client's case record. For part b., MDHHS informed us that because these families received FIP benefits during September 2022, they were eligible for the COVID-19 clothing allowance. However, our review disclosed the two case records did not support FIP eligibility for September 2022. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments to ineligible recipients and because of the high error rates noted. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $8,368 - federal share. ? $56 - State share of costs MDHHS inappropriately used as State maintenance of effort. Recommendation We recommend MDHHS obtain and maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. Management Views MDHHS agrees with the finding.
FINDING 2022-055 Temporary Assistance for Needy Families, ALN 93.558, Reporting - Accuracy of Financial Reports See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not submit accurate financial reports to HHS's Administration for Children and Families (ACF). Our review of the fiscal year 2022 fourth quarter TANF financial report (ACF-196R) noted MDHHS excluded $23.1 million in federal expenditures incurred by LEO. Also, MDHHS inappropriately included these expenditures in its fiscal year 2023 first quarter financial report instead of submitting a corrected fiscal year 2022 financial report for the quarter ended September 30, 2022. Criteria Federal regulation 2 CFR 200.302(b)(2) requires grantees to submit accurate financial data in accordance with a grant program's reporting requirements. The reporting instructions include details for reporting expenditures made in the federal fiscal year for the grant year being reported. The instructions also state revisions to expenditures reported in prior years should be made to the report of the fiscal year in which the expenditure occurred. Cause MDHHS informed us its internal control approval process was not timely and resulted in excluding LEO's fourth quarter interagency billing from the 2022 financial report. Effect MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of TANF funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS improve its internal control and submit revised financial reports to ACF. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-056 Low-Income Home Energy Assistance, ALN 93.568, Cash Management - Recertification of Clearance Patterns See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the LIHEAP clearance patterns as specified in its fiscal year 2022 TSA, which were last reviewed and updated in its fiscal year 2015 TSA. Criteria Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years. Cause Treasury informed us staff turnover and the transfer of the TSA process to another Treasury office contributed to its delay in the recertification of the clearance patterns. Effect Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend that Treasury review and recertify the accuracy of the clearance patterns specified in the TSA. Management Views Treasury agrees with the finding.
FINDING 2022-057 Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, assets, and proof of energy crisis for 13 (32%) of 41 sampled LIHEAP-funded State Emergency Relief (SER) energy payments. Criteria Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy. MDHHS policy requires county/district office caseworkers to verify and include certain assets or income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy states the payment amount must match the amount on the past due or shut-off notice. Cause MDHHS's internal control and monitoring activities were not sufficient to ensure that county/district office caseworkers adhered to established policies and procedures. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $3,772 ? federal share. Recommendation We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments. Management Views MDHHS agrees with the finding.
FINDING 2022-058 Low-Income Home Energy Assistance, ALN 93.568, Reporting - Annual Report on Households Assisted by LIHEAP See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure the accuracy of the Annual Report on Households Assisted by LIHEAP reported to HHS's ACF. Our review disclosed MDHHS did not accurately report 2 (14%) of 14 line items reviewed. MDHHS did not include 12,799 (4%) applicants for heating assistance and 1,396 (60%) applicants for furnace repair and replacement assistance. Criteria Federal regulation 45 CFR 96.82(b) requires each grantee to submit to the U.S. Department of Health and Human Services, as part of its LIHEAP grant application, data on the number of households receiving LIHEAP assistance during the 12-month period corresponding to the federal fiscal year. The reporting instructions include details for reporting household counts for assisted households and applicant households for the federal fiscal year. Cause MDHHS and DTMB informed us additional applicants were identified in Treasury's home heating credit data after the report was submitted and resulted in underreporting heating assistance applicants. MDHHS and DTMB also informed us an error in DTMB's query language resulted in underreporting furnace repair and replacement applicants. Effect MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of LIHEAP funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure the accuracy of the Annual Report on Households Assisted by LIHEAP reported to HHS's ACF. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-056 Low-Income Home Energy Assistance, ALN 93.568, Cash Management - Recertification of Clearance Patterns See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Treasury (Treasury) did not adequately review and recertify the accuracy of the clearance patterns contained in the agreement with the U.S. Department of the Treasury, referred to as the Treasury State Agreement (TSA). We noted Treasury did not reassess the accuracy of the LIHEAP clearance patterns as specified in its fiscal year 2022 TSA, which were last reviewed and updated in its fiscal year 2015 TSA. Criteria Federal regulation 31 CFR 205.20 requires the clearance pattern to be based on at least three consecutive months of disbursement data to accurately represent the flow of federal funds and reflect seasonal or other periodic variations in clearance activity of the program to which it is applied. Also, federal regulation 31 CFR 205.22(b) states the State must recertify the accuracy of a clearance pattern every five years. Cause Treasury informed us staff turnover and the transfer of the TSA process to another Treasury office contributed to its delay in the recertification of the clearance patterns. Effect Failure to ensure the accuracy of clearance patterns could cause the State to inappropriately calculate the date it should request reimbursement from the U.S. Department of the Treasury for federal assistance programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend that Treasury review and recertify the accuracy of the clearance patterns specified in the TSA. Management Views Treasury agrees with the finding.
FINDING 2022-057 Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, assets, and proof of energy crisis for 13 (32%) of 41 sampled LIHEAP-funded State Emergency Relief (SER) energy payments. Criteria Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy. MDHHS policy requires county/district office caseworkers to verify and include certain assets or income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy states the payment amount must match the amount on the past due or shut-off notice. Cause MDHHS's internal control and monitoring activities were not sufficient to ensure that county/district office caseworkers adhered to established policies and procedures. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $3,772 ? federal share. Recommendation We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments. Management Views MDHHS agrees with the finding.
FINDING 2022-058 Low-Income Home Energy Assistance, ALN 93.568, Reporting - Annual Report on Households Assisted by LIHEAP See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure the accuracy of the Annual Report on Households Assisted by LIHEAP reported to HHS's ACF. Our review disclosed MDHHS did not accurately report 2 (14%) of 14 line items reviewed. MDHHS did not include 12,799 (4%) applicants for heating assistance and 1,396 (60%) applicants for furnace repair and replacement assistance. Criteria Federal regulation 45 CFR 96.82(b) requires each grantee to submit to the U.S. Department of Health and Human Services, as part of its LIHEAP grant application, data on the number of households receiving LIHEAP assistance during the 12-month period corresponding to the federal fiscal year. The reporting instructions include details for reporting household counts for assisted households and applicant households for the federal fiscal year. Cause MDHHS and DTMB informed us additional applicants were identified in Treasury's home heating credit data after the report was submitted and resulted in underreporting heating assistance applicants. MDHHS and DTMB also informed us an error in DTMB's query language resulted in underreporting furnace repair and replacement applicants. Effect MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of LIHEAP funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure the accuracy of the Annual Report on Households Assisted by LIHEAP reported to HHS's ACF. Management Views MDHHS agrees with the finding.
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-007 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 6 significant systems and noted: a. MDHHS did not include all critical elements in the business continuity plan (BCP) for 1 system during fiscal year 2022, such as annual review and testing of the plan. b. MDHHS and DTMB did not update, review, or test the disaster recovery plan (DRP) for 1 system during fiscal year 2022, and there was not sufficient documentation to support critical elements for the DRP of a separate system, such as annual testing. c. MDHHS and DTMB did not complete all necessary updates to the system security plan for 3 systems during fiscal year 2022, including not updating the risk assessment for 2 of those systems which resulted in the expiration of the authority to operate (ATO) for the 3 systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish a security plan and policies and procedures to address disaster recovery, as well as contingency plans to meet critical processing needs in the event of short- or long-term interruption of services, and plans for emergency preparedness. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.070.02 requires DRPs to be updated, reviewed, and tested annually. The Standard also requires documenting test results in the DRP. Cause MDHHS and DTMB indicated that resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. These priorities were given precedence over reviewing expired ATOs based on the overall risk and return on investment. Effect MDHHS cannot demonstrate it has implemented effective controls to ensure the confidentiality, integrity, and availability of its information systems and cannot ensure it complies with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete BCPs and DRPs could result in delays in restoring critical systems and business processes. Outdated system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views MDHHS agrees with part a. of the finding. MDHHS and DTMB disagree with parts b. and c. of the finding. For part b., for the first system identified, although DTMB did not proactively schedule an annual disaster recovery test, DTMB successfully performed an actual failover and supporting documentation was provided to the auditors. The actual failover demonstrated that the disaster recovery plan (DRP) worked, was complete, and no delays were experienced in restoring the critical system, therefore DTMB did not perform additional testing activities and it was unnecessary to perform a separate review or update. For the second system identified, the DRP was tested in accordance with the State of Michigan Standard and DTMB provided the auditors with supporting documentation that updates were made to the DRP within the State of Michigan DRP repository. The State's environment and data centers leverage an infrastructure that is comprised of fully redundant load balanced systems at alternate sites, data mirroring, and data replication to help ensure high availability. For part c, although MDHHS agrees that system security plans were not updated timely for the systems cited, MDHHS disagrees that effective controls were not implemented to ensure confidentiality, integrity, and availability of its automated data processing (ADP) information systems. MDHHS also disagrees that the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described above. MDHHS has compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS monitors remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of the authority to operate (ATO). In addition, MDHHS is required to audit a portion of these systems (CHAMPS, Bridges, Enterprise Common Controls) as part of responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to the data stored in those systems. In addition, 2 of the 3 ADP systems cited for not having an updated risk assessment are reviewed biennially through the Internal Control Evaluation (ICE) process where control evidence is updated to demonstrate effectiveness of controls. Auditor's Comments to Management Views The supporting documentation provided did not substantiate the DRPs were updated, reviewed, or tested during fiscal year 2022 in accordance with SOM technical standards. In addition, MDHHS acknowledged system security plans were not updated timely for the systems cited. DRPs, system security plans, and risk assessments are designed to help mitigate potential vulnerabilities, not eliminate them entirely, indicating potential vulnerabilities still exist. While MDHHS may monitor the remediation of identified risks through POAMS, 2 of the 3 systems cited did not have an updated risk assessment, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the ICE process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-008 MiSACWIS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over the Michigan Statewide Automated Child Welfare Information System (MiSACWIS). We noted: a. MDHHS did not properly approve 3 (8%) of the 40 sampled MiSACWIS application security agreements prior to granting access to MiSACWIS. b. MDHHS did not maintain documentation for 12 (30%) of 40 sampled MiSACWIS incompatible role exception requests. Of the 28 forms received, we noted MDHHS did not properly approve 3 (11%) forms prior to granting the exception requests. c. DTMB did not fully establish and implement effective security configurations for the MiSACWIS database. The MiSACWIS database management system contained potentially vulnerable database configurations. d. MDHHS did not always perform or document its monitoring of high-risk transactions. e. MDHHS did not review its semiannual recertification of 1 of 5 sampled MiSACWIS privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 4 (16%) of 25 sampled MiSACWIS non-privileged user accounts. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. In addition, GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties' conflicts exist. Cause For parts a. and b., MDHHS informed us local office security coordinators and security administrators did not follow established policies and procedures regarding granting of MiSACWIS access. Also, MDHHS informed us the exception reviewer approved the conflicting roles instead of routing the role exception requests to the exception manager for review. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control was not always sufficient to ensure it completed and retained documentation to support its monitoring of high-risk transactions. For part e., MDHHS informed us the users' roles were not always recertified due to staff oversight. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to MiSACWIS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the MiSACWIS application and data used to help determine eligibility and benefits for TANF, Foster Care - Title IV-E, Adoption Assistance, and Social Services Block Grant. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over MiSACWIS. Management Views MDHHS agrees with parts a., b., d., and e. of the finding. DTMB disagrees with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether MDHHS and DTMB completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-059 Social Services Block Grant, ALN 93.667, Reporting - Post-Expenditure Report See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not submit an accurate post-expenditure report to ACF. Our review of the fiscal year 2022 Social Services Block Grant (SSBG) Post-Expenditure Report noted MDHHS inappropriately excluded 21,162 recipients who received Independent Living Services (ILS) funded by the SSBG program, resulting in a 13% understatement of total recipients on the report. Criteria Federal law 42 USC 1397e requires each state to prepare and submit an annual postexpenditure report to include the number of individuals who received services paid for in whole or in part with funds and the amount spent in providing each type of service. The SSBG Post Expenditure Report instructions provide that the total number of recipients includes all recipients of services supported by the total expenditures. Cause MDHHS informed us ILS recipients were excluded from the SSBG Post-Expenditure Report because it misunderstood information provided by the auditors in fiscal year 2021. Subsequent to our review, MDHHS submitted a revised report and included these recipients. Effect MDHHS may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of SSBG funds. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS submit accurate post-expenditure reports and include all individuals receiving SSBG supported services. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-003 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Health and Human Services (MDHHS) and DTMB did not always ensure its interface controls over the Bridges Integrated Automated Eligibility Determination System* (Bridges) data exchanges were operating as prescribed. MDHHS uses Bridges for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. We noted: a. DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 1 of the 9 interfaces sampled. For this 1 interface, we sampled 27 daily files and noted 2 (7%) files did not reconcile. b. MDHHS had not established data sharing agreements with all State agencies that exchanged information with Bridges. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends that interface controls should be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Federal regulations 7 CFR 272.8(a)(4), 45 CFR 205.58, and 42 CFR 435.945(i) require MDHHS to execute data sharing agreements with agencies from which MDHHS requests and obtains income and eligibility information. Cause For part a., DTMB informed us because of a coding issue, record counts were inappropriately duplicated and the exceptions were not caught during development. For part b., MDHHS informed us staffing limitations and the COVID-19* state of emergency resulted in many priorities being shifted to support emergency activities. Effect MDHHS's and DTMB's weaknesses in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with part a. of the finding. MDHHS agrees with part b. of the finding. For part a., DTMB disagrees the interface over the Bridges Integrated Automated Eligibility Determination System (Bridges) data exchanges is not operating as needed. For one interface, the auditors sampled 27 different daily batches, including 9,945 records, and only four records (.04 percent) were cited by the auditors as having inconsistencies. DTMB reviewed these four records and determined they were processed in accordance with business rules and the reporting inconsistency identified did not impact the accuracy of the reconciliation. Additionally, the auditors did not identify inconsistencies in the other eight interfaces sampled across multiple days, which totaled more than 2.95 million records. Therefore, the interface controls are effective and reasonably ensure that data transferred from a source system to a receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views Regarding part a., contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. FISCAM recommends interface controls should reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. We determined the errors noted in part a. of the finding occurred on multiple daily files. Also, DTMB did not provide documentation that it timely reviewed the interface exceptions. Therefore, the finding stands as written.
FINDING 2022-004 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not maintain documentation for 32 (80%) of the 40 sampled Bridges incompatible role exception requests. Of the 8 forms received, we noted MDHHS did not properly approve all 8 forms prior to granting the exception requests. b. MDHHS did not maintain documentation for 25 (31%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 2 (4%) of 55 sampled security monitoring reports. c. DTMB did not fully establish and implement effective security configurations* for the Bridges database. The Bridges database management systems* contained potentially vulnerable database configurations. d. MDHHS did not maintain documentation for 1 (3%) of the 40 sampled Bridges application security agreements. Of the 39 forms received, we noted MDHHS did not properly approve 5 (13%) forms prior to granting access to Bridges. e. MDHHS did not monitor non-local office Bridges user accounts for compliance with account management requirements semiannually for privileged users or annually for all other users. f. MDHHS did not maintain documentation for 11 (55%) of the 20 sampled local office high-risk Bridges transaction monitoring reports. Of the 9 reports received, MDHHS did not complete the review timely or did not document its review date for 3 (33%) of the reports. g. MDHHS did not perform reviews for 2 (8%) of 24 sampled non-local office high-risk Bridges transaction reports. Of the 22 reports received, MDHHS did not properly document its review and review date for 4 (18%) reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For part a., MDHHS informed us internal control and monitoring activities were not sufficient to ensure that incompatible role exception requests were maintained and updated annually. For parts b. and e., MDHHS informed us internal control and monitoring activities were not sufficient to ensure timely completion and maintenance of security monitoring reports because of a lack of resources. For part c., DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. For part d., MDHHS informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For part f., MDHHS informed us internal control and monitoring activities need improvement to ensure timely completion and maintenance of security monitoring reports. For part g., MDHHS informed us it did not perform separate reviews for each type of high-risk transaction prior to February 2022. Also, MDHHS indicated staff oversight and competing priorities impacted its ability to timely review the reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Pandemic Electronic Benefits Transfer (P-EBT) Food Benefits, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB establish effective security management and access controls over Bridges users. Management Views MDHHS agrees with parts a., b., and d. through g. of the finding. MDHHS and DTMB disagree with part c. of the finding. For part c., although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-005 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 3 (12%) of 25 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform postimplementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting testing and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists that MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2022-006 Income Eligibility and Verification System See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS's automated data processing (ADP) system for the SNAP Cluster, Medicaid Cluster, TANF, and CHIP is Bridges. Bridges obtains and utilizes information from the Income Eligibility and Verification System (IEVS) to verify the eligibility and benefit levels of applicants and participating households for these federal programs. To obtain IEVS information, Bridges conducts 15 data exchanges through interfaces with various governmental agencies. Bridges disseminates the IEVS information obtained from the majority of these interfaces through electronic notifications in Bridges to the recipients' MDHHS county/district office caseworkers to manually consider and take action to determine the recipients' eligibility and benefit levels of the SNAP Cluster, Medicaid Cluster, TANF, and CHIP. Some interfaces automatically update Bridges with the IEVS information and determine the recipients' eligibility and benefit levels. Condition MDHHS and DTMB did not request and obtain IEVS information for all recipients. In addition, MDHHS did not ensure that county/district office caseworkers considered and used IEVS information when making eligibility and benefit level determinations for these programs. We noted: a. For 6 (43%) of 14 IEVS interfaces requiring manual caseworker consideration and action, MDHHS did not maintain sufficient documentation to support that county/district office caseworkers considered and utilized the IEVS information to determine eligibility and benefit level for each recipient in 14 (23%) of 60 cases. b. For 3 (21%) of 14 IEVS interfaces, MDHHS did not take timely action on IEVS information in 9 (15%) of 60 cases reviewed, all of which are also reported in part a. c. MDHHS had not established a process to review and monitor the electronic notifications provided to county/district office caseworkers to ensure they utilized the IEVS information to determine the recipients' eligibility. For all 11 IEVS interfaces with electronic notifications, county/district office caseworkers could manually mark electronic notifications as complete without utilizing the IEVS information to determine the recipients' eligibility. d. MDHHS did not include all recipients funded by the TANF adoption subsidies in the IEVS interfaces conducted during the audit period. Also, MDHHS did not establish and implement the other applicable financial and non-financial interfaces during the audit period for TANF adoption subsidies. e. MDHHS and DTMB did not obtain the Public Assistance Reporting Information System interstate match during the first quarter of the audit period. f. MDHHS did not include modified adjusted gross income (MAGI)-based recipients funded by the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and the CHIP Healthy Kids and MiChild programs in the applicable IEVS interfaces conducted during the audit period. g. Although MDHHS has established a process to identify substantial lottery winners, MDHHS did not establish a data match process to identify public assistance recipients who have won substantial gambling winnings. Criteria Federal regulation 7 CFR 272.10 requires all state agencies to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information. Also, federal regulation 7 CFR 272.10(b) states that, in order to meet the requirements, a SNAP system must be automated for certification and meet the requirements of IEVS. In addition, federal regulation 7 CFR 273.2(f)(9) requires state agencies to obtain information through IEVS from provider agencies and use it to verify the eligibility and benefit levels of applicants and participating households. Also, federal regulation 7 CFR 272.17 requires each state agency, to the maximum extent practicable, to establish cooperative agreements with gaming entities within its state to identify members of certified households who have substantial lottery or gambling winnings. Further, federal regulation 7 CFR 273.12 requires any substantial lottery or gambling winnings to be reported within 10 days of the change occurring, and federal regulation 7 CFR 273.11(r) requires immediate termination of food assistance program benefits for any household with substantial lottery or gambling winnings. Federal regulation 7 CFR 273.2(f)(9) also requires the state agency to take action to terminate, deny, or reduce benefits based on information obtained through the IEVS processes. Further, federal regulations 7 CFR 272.8(c) and 7 CFR 272.8(e) require that the state agency must timely document information obtained through IEVS both when an adverse action is and is not instituted. Title 42, section 1320b-7(a)(4)(A) of the United States Code (USC) requires all state agencies to exchange with each other information in their possession which may be of use in establishing or verifying eligibility or benefit amounts. Federal regulations 42 CFR 435.948, 45 CFR 205.55, and 42 CFR 457.380(d) for the Medicaid Cluster, TANF, and CHIP, respectively, require states to request information through IEVS for wages, unemployment compensation, Social Security Administration information, and unearned income from the Internal Revenue Service at the first opportunity following receipt of an application for assistance. Also, federal regulations 42 CFR 435.948, 42 CFR 435.952, 45 CFR 205.56, and 42 CFR 457.380(d) require states to timely use the IEVS information to determine an individual's eligibility and the amount of assistance available. Further, federal regulations 42 CFR 435.916(a) and 42 CFR 457.343 indicate the state must redetermine MAGI-based eligibility without requiring information from the individual if the information is based on reliable information in the individual's account or other more current information available to the state, including information accessed through any databases, to verify the financial and non-financial information related to eligibility. MDHHS Bridges Administrative Manual Policy 800, Data Exchanges, requires information received from most computer matches to be resolved by the county/district office caseworker within 45 calendar days of receiving the electronic notification. Cause For parts a. through c., MDHHS did not always have information available to identify if the IEVS interface information was appropriately utilized in determining recipients' eligibility when county/district office caseworkers marked electronic notifications as complete. For part d., MDHHS informed us it did not yet establish and implement the applicable IEVS interfaces to validate income, social security number, criminal background, or citizenship. For part e., DTMB informed us it did not receive the file back from its external partner. For part f., MDHHS believes post eligibility verification for MAGI-based recipients is not subject to IEVS requirements; therefore, MDHHS did not include all MAGI-based recipients coded to the Medicaid Cluster Healthy Kids and Healthy Michigan Plan programs and CHIP Healthy Kids and MiChild programs in the applicable IEVS data exchanges. For part g., MDHHS stated the number of gaming entities within the State has contributed to the complexity of developing a data match process related to gambling winnings. Also, MDHHS believed that, since it has implemented a process for lottery winners, it has generally complied with the requirements. Effect We consider this to be a material weakness and material noncompliance because of the high error rates in our testing and the incomplete data matches noted. As a result, MDHHS may have provided the SNAP Cluster, Medicaid Cluster, TANF, and CHIP benefits to ineligible recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendations We recommend MDHHS and DTMB request and obtain IEVS information for all recipients. We also recommend MDHHS ensure that county/district office caseworkers consider and use IEVS information in a timely manner when making eligibility and benefit level determinations for these programs. Management Views MDHHS and DTMB agree with parts c., d., e., and g. of the finding. MDHHS and DTMB disagree with parts a., b., and f. of the finding. For parts a. and b., MDHHS agrees with the recommendations. However, MDHHS disagrees with the exceptions identified for 1 of the 6 cited interfaces. For one interface, that impacted three cases, the interface updated appropriately as designed where needed. The interface did not need to update the case for citizenship and worker action was not required because citizenship was verified appropriately using another method and citizenship was not in question. For part f., MDHHS disagrees that Income Eligibility Verification System (IEVS) information is required to be requested and obtained for modified adjusted gross income (MAGI) based recipients since eligibility is verified upon determination through the MAGI eligibility determination process and then granted for a 12-month continuous eligibility period. Requesting and obtaining IEVS information throughout the eligibility period would be irrelevant since eligibility is continuous. Auditor's Comments to Management Views Regarding parts a. and b., MDHHS could not provide support its interface appropriately updated the case record. During our fieldwork, MDHHS reviewed these cases and determined that citizenship was not in question. However, this review did not support its interface operated as intended. Regarding part f., federal regulations 42 CFR 435.916(a), 42 CFR 435.948, and 42 CFR 435.952 require the State to use reliable information or information available to the State, including information accessed through databases, to determine or renew a Medicaid recipient eligibility. Similarly, federal regulations 42 CFR 457.343 and 42 CFR 457.380(d) require the use of such databases to determine or renew CHIP recipient eligibility. MDHHS requested IEVS data for Medicaid recipients, including certain MAGI-based recipients, but did not include all MAGI-based recipients in its IEVS data exchanges at application and redetermination. Further, MDHHS did not take steps to determine whether eligibility was erroneously granted to its MAGIbased recipients enrolled in the Medicaid Cluster Healthy Kids and CHIP Healthy Kids and MiChild programs due to agency error or fraud, abuse, or perjury attributed to the child or the child's representative, as required by federal regulations 42 CFR 435.926(d)(4) and 42 CFR 457.342. Therefore, the finding stands as written.
FINDING 2022-009 CHAMPS General Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully establish and implement effective security configurations for the Community Health Automated Medicaid Processing System (CHAMPS) database. CHAMPS is the Medicaid and CHIP claims processing system and includes functions such as provider enrollment, claims status, prior authorization, and eligibility verification. The CHAMPS database management systems contained potentially vulnerable database configurations. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, including retaining previous system configurations, configuring approved devices for high-risk areas, tracking and documenting system changes, and assigning privileges to authorized personnel. The policy also states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. Cause DTMB informed us it had not fully implemented all database specific configuration standards during our audit period because it was developing an organization-wide security framework for database security configuration management which was approved for implementation subsequent to September 30, 2022. Effect Without effective general controls, individuals may make inappropriate changes to CHAMPS. As a result, an increased risk exists that MDHHS and DTMB cannot ensure the security of CHAMPS and its data. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully establish and implement effective security configurations for the CHAMPS database. Management Views Although MDHHS and DTMB had not fully documented all database specific configuration standards until after the audit period, DTMB disagrees that during the audit period the system contained potentially vulnerable database configurations and disagrees that DTMB cannot ensure the security of the data. DTMB has been and continues to implement the manufacturer's recommendations regarding security configurations. In addition, the databases reside in restricted trusted internal security zones, protected by firewalls, which are specific to each application and database, in conjunction with intrusion protection, antivirus software, and State of Michigan standard security safeguards. Auditor's Comments to Management Views Regardless of whether DTMB and MDHHS completed their documentation of the standards, we noted and they concurred they had not fully implemented those standards; therefore, the potential vulnerabilities and security risk still exist. The finding stands as written.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-021 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Eligibility Interface Errors See Schedule of Findings and Questioned Costs for chart/table. Background MDHHS uses Bridges for determining eligibility and benefits amounts for medical assistance, among other assistance programs. Eligibility and benefit records from Bridges are then interfaced into CHAMPS, MDHHS's system used to process medical claims and payments. Condition MDHHS did not maintain documentation to support eligibility records with identified errors were properly investigated, corrected, and resubmitted for processing. Our sample of 15 daily interface runs identified 9 (60%) which had been excluded from eligibility interface processing. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS informed us its central office does not document or conduct any further review on these errors to prevent duplication of effort since these errors are already reviewed by the local offices. Effect MDHHS could not ensure eligibility and benefit level information from Bridges was accurately reflected in CHAMPS for the Medicaid Cluster and CHIP and, as a result, could not ensure medical payments were made based on up-to-date and accurate eligibility information. MDHHS's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance that will not be detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend MDHHS maintain documentation to support eligibility records with identified errors and excluded from eligibility interface processing are investigated, corrected, and resubmitted for processing as appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-022 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Provider Eligibility See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain all required disclosures and/or ensure disclosures were timely and accurately updated and approved in CHAMPS for the Prepaid Inpatient Health Plan (PIHP) entities, MI Choice Waiver Program (MI Choice) entities, Medicaid Health Plan (MHP) entities, Dental Health Plan entities, or the Pharmacy Benefits Manager (PBM) during the audit period. In addition, MDHHS did not monitor its MI Choice entities' network of providers to ensure the providers entered into provider agreements and made required disclosures. Criteria Federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935 require MDHHS to obtain certain identifying information from medical providers, including PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. Disclosures are due when a fiscal agent or managed care entity submits a proposal, upon execution of a contract with the State, upon renewal or extension of the contract, or within 35 days after any change in ownership. These regulations also require MDHHS to obtain information such as identification information of the owners, agents, and managing employees and information on the ownership and control interest in the provider's subcontractors. According to its Medicaid and CHIP State Plans, MDHHS has established procedures for the disclosure of information by providers and fiscal agents as specified in federal regulations 42 CFR 455.104 through 42 CFR 455.106 and 42 CFR 457.935. Cause MDHHS indicated it did not have a sufficient process or communication method in place to always obtain timely or complete disclosures because it is not directly involved in the contract execution or contract renewal process for many managed care organizations (MCOs) and, therefore, may not timely become aware new disclosures are required. In addition, MDHHS relies on the entities to inform it when ownership changes occur. Also, limited staff resources resulted in the MI Choice entities' network of providers not being monitored for provider agreements and required disclosures. Effect MDHHS could potentially reimburse ineligible medical providers for medical services. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendations We recommend MDHHS obtain and timely and accurately update and approve CHAMPS for all required disclosures from PIHP entities, MI Choice entities, MHP entities, Dental Health Plan entities, and its PBM. We also recommend MDHHS monitor its MI Choice entities' network of providers to ensure all providers enter into provider agreements and make all required disclosures. Management Views MDHHS agrees with the finding.
FINDING 2022-023 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Refunding of Federal Share of Overpayments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the quarterly statement of expenditures report (CMS-64 report). We noted: a. MDHHS did not have adequate processes in place to ensure receivables recorded in its Adult Services Authorized Payments system were accurately reflected on the reports used for preparation of the CMS-64 report, which resulted in untimely reporting of $1.6 million of the federal share of overpayments. b. MDHHS did not have adequate processes in place to ensure receivables recorded in CHAMPS were accurately reflected on the reports used for preparation of the CMS-64 report, resulting in late reporting for items recorded in the first quarter of fiscal year 2022. c. MDHHS did not have a process in place to identify overpayments returned late and to calculate the corresponding interest due to the U.S. Department of Health and Human Services' (HHS's) CMS as a result of late reporting. d. MDHHS did not have a process in place to ensure receivables entered into CHAMPS as a result of an overpayment due to fraud, waste, and abuse were tracked separately, which resulted in recording overpayments on the incorrect CMS-64 line and returning the incorrect federal share. e. MDHHS did not report 11 (44%) of 25 sampled Medicaid overpayments and 2 (50%) of 4 sampled CHIP overpayments accurately or timely, such as incorrectly applying a federal medical assistance percentage rate, untimely reporting after the 1-year time reporting requirement lapsed, or untimely reporting collections received. Criteria Federal regulations 42 CFR 433.320 and 42 CFR 457.628 require MDHHS to refund the federal share of overpayments that are subject to recovery to CMS through a credit on its CMS-64 report. MDHHS must credit CMS with the federal share of overpayments subject to recovery on the earlier of the quarter in which the State recovers the overpayment from the provider or the quarter in which the 1-year period following discovery ends if no recovery is received. If the State does not refund the federal share of overpayments, the State will be liable for interest on the amount equal to the federal share of the non-recovered, non-refunded overpayment amount. Cause MDHHS informed us system issues contributed to the untimely reporting of overpayments. Also, MDHHS stated overpayment receivables entered into CHAMPS were not properly reported due to the design of CHAMPS and the needed quarterly CHAMPS reports were only scheduled to be run on an annual basis. Effect MDHHS did not ensure accurate and timely reporting in accordance with federal regulations for the federal share of fraud, waste, and abuse overpayments made to providers. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Undeterminable. Recommendation We recommend MDHHS accurately and timely report the federal share of fraud, waste, and abuse overpayments made to providers on the CMS-64 report. Management Views MDHHS agrees with the finding.
FINDING 2022-024 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Medical Loss Ratio See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure MHP, PIHP, MI Choice, and Dental Health Plan medical loss ratio (MLR) reports contained a comparison of the amounts used in the MLR calculation with the audited financial reports. The MLR is the proportion of premium revenues spent on behalf of beneficiary services and quality improvement. The Affordable Care Act requires each managed care entity to spend at least 85% of premium dollars on medical care. Criteria Federal regulations 42 CFR 438.8 and 42 CFR 457.1203 require managed care entities to calculate and report an MLR to MDHHS, including a comparison of the amounts reported in the MLR calculation with audited financial reports. Cause MDHHS informed us it relies on the attestation included within the MLR reports indicating the information submitted is current, complete, accurate, and in compliance with federal regulation 42 CFR 438.8; therefore, MDHHS did not require the comparison to be included. Effect MDHHS limits its assurance the calculated MLR is accurate and could fail to collect remittance owed to the State if entities are overstating the MLR inappropriately. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure MLR reports contain a comparison of the amounts reported in the MLR calculation with audited financial reports. Management Views MDHHS agrees with the finding.
FINDING 2022-025 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Managed Care Periodic Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure an independent audit was conducted and posted to its website at least once every three years of encounter and financial data submitted by its managed care entities, which included 15 MCOs, 10 PIHP entities, and 21 Prepaid Ambulatory Health Plan (PAHP) entities in fiscal year 2022. Encounter data is detailed information about individual healthcare services provided by managed care entities. The data in aggregate is used to develop capitation rates to cover services provided to beneficiaries. Criteria Federal regulations 42 CFR 438.602 and 42 CFR 457.1285 require MDHHS to conduct or contract for an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by or on behalf of each MCO, PIHP, and PAHP at least once every three years. In addition, MDHHS is required to publish the results of these audits on its website. Cause MDHHS informed us it relies on various reviews in lieu of an independent audit of encounter and financial data, such as periodically comparing CHAMPS encounter data with the managed care entities' internally stored encounter data to identify variances. Effect We consider this to be a material weakness and material noncompliance because MDHHS significantly limits its assurance the data submitted by the managed care entities is accurate. Also, inaccurate data could affect the capitation rates developed based on the encounter and financial data. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure an independent audit is conducted and posted to its website at least once every three years of the accuracy, truthfulness, and completeness of encounter and financial data submitted by the managed care entities. Management Views MDHHS agrees with the finding.
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-015 MDHHS, PACAP - Inappropriate PACAP Allocation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it used the appropriate Public Assistance Cost Allocation Plan (PACAP) data to allocate expenditures to its federal programs. We noted 4 (2%) of 206 statistic groups for which MDHHS used incorrect data to calculate the PACAP percentages, which affected 13 (76%) of 17 sampled cost pools. Criteria Federal regulation 45 CFR 95.507 and Appendix VI of federal regulation 2 CFR 200 state costs are allocable to a particular cost objective if the services involved are chargeable or assignable to such cost objective in accordance with relative benefits received. Federal regulation 45 CFR 95.517 requires MDHHS to claim federal financial participation for costs associated with a program only in accordance with its approved or amended (at its discretion) PACAP. Cause MDHHS informed us its quality control processes did not detect the errors. Effect MDHHS incorrectly allocated expenditures to various federal programs. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs ? $426,648 - federal share. Recommendation We recommend MDHHS ensure it uses the appropriate PACAP data to allocate expenditures to its federal programs. Management Views MDHHS agrees with the finding.
FINDING 2022-017 MDHHS, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure it reported or accurately and timely reported all subaward information as required by the FFATA. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. We noted: a. MDHHS did not report any subaward information for 4 (3%) of 129 sampled subawards. b. Of the 125 subawards in FSRS: (1) MDHHS did not timely submit subaward information for 124 (99%) sampled subawards. (2) MDHHS did not submit the correct amount for 28 (22%) sampled subawards. (3) MDHHS did not report all key data elements for 1 (1%) sampled subawards. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MDHHS report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MDHHS informed us the unavailability of FSRS during a significant portion of the fiscal year 2021 reporting period contributed to its inability to report timely as required because it created a backlog of fiscal year 2021 reports that needed to be entered into FSRS prior to the submission of the fiscal year 2022 reports. Also, for the Medicaid Cluster and CHIP, the Electronic Grants Administration and Management System account code and funding source fields were inaccurate, which impacted the query used to obtain certain FFATA data elements. Effect MDHHS grant information was not accurate or timely available for public access through the website established to improve transparency of governmental spending. We consider this to be a material weakness and material noncompliance for the Medicaid Cluster and CHIP because of the high error rates related to the accuracy of information submitted to FSRS. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS ensure it reports or accurately and timely reports all subaward information as required by FFATA. Management Views MDHHS agrees with the finding
FINDING 2022-002 SIGMA High-Risk Activity Monitoring See Schedule of Findings and Questioned Costs for chart/table. Condition DTMB did not sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. We noted DTMB did not perform the high-risk activity monitoring in a timely manner for all 6 sampled reports. DTMB provided evidence it reviewed the reports; however, on average, these reviews were completed 313 days after the reporting periods. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse. Cause DTMB informed us a lack of oversight prevented the timely review of high-risk activity reports, and it has since reassigned staff responsibilities accordingly. Effect Individuals may have made inappropriate bypass or override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists that DTMB did not identify inappropriate or high-risk activity associated with SIGMA transactions. Known Questioned Costs None. Recommendation We recommend DTMB sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. Management Views DTMB agrees with the finding.
FINDING 2022-026 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC), ALN 93.323 and Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036 - Long-Term Care (LTC) Facility COVID-19 Testing Reimbursements See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation to demonstrate a process was in place to ensure long-term care (LTC) facility COVID-19 testing reimbursement requests, totaling $48.5 million ($46.4 million Disaster Grants - Public Assistance (Presidentially Declared Disasters) and $2.1 million ELC), were reasonable and appropriate. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over the federal award that provides reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulations 2 CFR 200 and 5 CFR 75 require costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause MDHHS believed its process was sufficient to ensure requests were reasonable and appropriate. However, the documentation provided did not substantiate the procedures completed. Effect MDHHS could not demonstrate the costs complied with the applicable federal regulations ensuring reasonableness of the amounts requested. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS maintain sufficient documentation to demonstrate its process to ensure LTC facility COVID-19 testing reimbursement requests are reasonable and appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-060 Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSP did not ensure that it timely reported Disaster Grants - Public Assistance subaward information as required by FFATA. We reviewed 8 subawards totaling $5,961,983 and noted MSP did not timely report subaward information for 3 (38%) subawards totaling $1,876,788. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MSP report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MSP informed us that responding to the unprecedented challenges of the COVID-19 pandemic and several other Michigan disasters with limited resources impacted its ability to complete FFATA reporting timely. Effect MSP grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSP ensure it timely reports the Disaster Grants - Public Assistance subaward information as required by FFATA. Management Views MSP agrees with the finding.
FINDING 2022-061 Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Subrecipient Monitoring - Subrecipient Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MSP did not appropriately monitor its subrecipients to ensure they complied with the Uniform Guidance. MSP utilized a tracking sheet to identify those subrecipients that required a single audit and a form to document its review of subrecipient single audits. We sampled 5 subrecipients and noted for 2 (40%): a. MSP did not appropriately identify or document if the subrecipients required a single audit. Therefore, MSP did not monitor these subrecipients to ensure the status or submission of their single audit reports. We verified both subrecipients obtained the required single audits. b. MSP did not complete single audit report review forms. Therefore, MSP did not take steps to determine whether a management decision letter was needed. We verified there were no findings related to both subrecipients' federal awards. Criteria Federal regulation 2 CFR 200.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 2 CFR 200.332(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 2 CFR 200.521(d) requires MSP to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the FAC. Cause MSP informed us a miscommunication between its staff regarding its query of subrecipient expenditure data resulted in subrecipients being excluded from the tracking sheet. Effect MSP limited the State's assurance that its subrecipients complied with grant requirements and implemented corrective actions for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to MSP's records. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSP appropriately monitor its subrecipients to ensure they comply with the Uniform Guidance. Management Views MSP agrees with the finding.
FINDING 2022-002 SIGMA High-Risk Activity Monitoring See Schedule of Findings and Questioned Costs for chart/table. Condition DTMB did not sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. We noted DTMB did not perform the high-risk activity monitoring in a timely manner for all 6 sampled reports. DTMB provided evidence it reviewed the reports; however, on average, these reviews were completed 313 days after the reporting periods. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. State of Michigan Administrative Guide to State Government policy 1340.00 states security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires agencies to monitor privileged system functions to help mitigate the risk from insider threats and detect misuse. Cause DTMB informed us a lack of oversight prevented the timely review of high-risk activity reports, and it has since reassigned staff responsibilities accordingly. Effect Individuals may have made inappropriate bypass or override actions in SIGMA that were not detected in a timely manner. As a result, an increased risk exists that DTMB did not identify inappropriate or high-risk activity associated with SIGMA transactions. Known Questioned Costs None. Recommendation We recommend DTMB sufficiently monitor the DMVA and MSP high-risk activity reports to ensure users performed only authorized bypass and override actions in SIGMA. Management Views DTMB agrees with the finding.
FINDING 2022-026 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC), ALN 93.323 and Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036 - Long-Term Care (LTC) Facility COVID-19 Testing Reimbursements See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation to demonstrate a process was in place to ensure long-term care (LTC) facility COVID-19 testing reimbursement requests, totaling $48.5 million ($46.4 million Disaster Grants - Public Assistance (Presidentially Declared Disasters) and $2.1 million ELC), were reasonable and appropriate. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over the federal award that provides reasonable assurance the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulations 2 CFR 200 and 5 CFR 75 require costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause MDHHS believed its process was sufficient to ensure requests were reasonable and appropriate. However, the documentation provided did not substantiate the procedures completed. Effect MDHHS could not demonstrate the costs complied with the applicable federal regulations ensuring reasonableness of the amounts requested. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS maintain sufficient documentation to demonstrate its process to ensure LTC facility COVID-19 testing reimbursement requests are reasonable and appropriate. Management Views MDHHS agrees with the finding.
FINDING 2022-060 Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Reporting - FFATA Reporting See Schedule of Findings and Questioned Costs for chart/table. Condition MSP did not ensure that it timely reported Disaster Grants - Public Assistance subaward information as required by FFATA. We reviewed 8 subawards totaling $5,961,983 and noted MSP did not timely report subaward information for 3 (38%) subawards totaling $1,876,788. Criteria Federal regulation 2 CFR 170 implemented the FFATA requirements for reporting subaward information and requires MSP report, on the federal website, each action that obligates $30,000 or more in federal funds by the end of the month following the month in which the subaward was made. Cause MSP informed us that responding to the unprecedented challenges of the COVID-19 pandemic and several other Michigan disasters with limited resources impacted its ability to complete FFATA reporting timely. Effect MSP grant information was not available for public access through the federal website established to improve transparency of governmental spending as required. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSP ensure it timely reports the Disaster Grants - Public Assistance subaward information as required by FFATA. Management Views MSP agrees with the finding.
FINDING 2022-061 Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Subrecipient Monitoring - Subrecipient Audits See Schedule of Findings and Questioned Costs for chart/table. Condition MSP did not appropriately monitor its subrecipients to ensure they complied with the Uniform Guidance. MSP utilized a tracking sheet to identify those subrecipients that required a single audit and a form to document its review of subrecipient single audits. We sampled 5 subrecipients and noted for 2 (40%): a. MSP did not appropriately identify or document if the subrecipients required a single audit. Therefore, MSP did not monitor these subrecipients to ensure the status or submission of their single audit reports. We verified both subrecipients obtained the required single audits. b. MSP did not complete single audit report review forms. Therefore, MSP did not take steps to determine whether a management decision letter was needed. We verified there were no findings related to both subrecipients' federal awards. Criteria Federal regulation 2 CFR 200.501 requires nonfederal entities who expend $750,000 or more in federal awards during their fiscal year to obtain a single audit for that fiscal year. Also, federal regulation 2 CFR 200.332(f) requires the pass-through entity to verify these subrecipients are audited as required by Subpart F of the Uniform Guidance, Audit Requirements, when it is expected the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the $750,000 threshold. In addition, federal regulation 2 CFR 200.521(d) requires MSP to issue a management decision letter on the appropriateness of all audit findings related to its federal awards and the subrecipient's corrective action plan within six months of acceptance by the FAC. Cause MSP informed us a miscommunication between its staff regarding its query of subrecipient expenditure data resulted in subrecipients being excluded from the tracking sheet. Effect MSP limited the State's assurance that its subrecipients complied with grant requirements and implemented corrective actions for audit findings to prevent future sanctions or disallowed costs, which could necessitate adjustments to MSP's records. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MSP appropriately monitor its subrecipients to ensure they comply with the Uniform Guidance. Management Views MSP agrees with the finding.