COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS See related Financial Statement Finding 2022-002. Controls over the processing of unemployment insurance claims were ineffective to sufficiently prevent fraudulent unemployment insurance benefit payments. Controls were also ineffective to ensure compliance with the documentation of self-employment income for the Pandemic Unemployment Assistance (PUA) program. Background: Since the start of the pandemic, the Department of Labor and Training (DLT) disbursed more than $2.7 billion in unemployment insurance benefits. In response to the COVID-19 pandemic, the federal Coronavirus Aid, Relief, and Economic Security (CARES) Act expanded and/or extended unemployment insurance benefits, including providing new benefits to self-employed individuals and independent contractors. Fraudulent claims for unemployment insurance benefits also increased rapidly, concurrent with the overall increase in claims due to the pandemic. This unprecedented increase in fraudulent claims was experienced nationwide and was not unique to Rhode Island. Expanded pandemic unemployment benefits continued during fiscal 2022, through September 2021, exceeding $300 million. The system used by DLT to process unemployment insurance (UI) benefits utilizes outdated technology. This legacy system is mainframe based and programmed in COBOL. In response to the pandemic-related surge in unemployment insurance claims, new ?cloud-based? technologies were rapidly deployed to facilitate processing the volume of claims and interactions with claimants; however, the primary claims processing functions were still performed by the legacy system. Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with federal program guidelines including appropriate procedures to prevent and detect fraudulent payments. Collections on overpayments due to error or fraud must be reported and credited to the appropriate federal award that funded the unemployment insurance benefit. The PUA program was created under the CARES Act to provide benefits to self-employed individuals who were previously ineligible for traditional unemployment insurance benefits. A ?covered individual? is someone who meets each of the following three conditions: 1. The individual is not eligible for regular Unemployment Compensation, Extended Benefits, or Pandemic Emergency Unemployment Compensation. This also includes those who have exhausted all rights to such benefits, self-employed, those seeking part-time employment, individuals lacking sufficient work history. Self-employed individuals include independent contractors and ?gig economy workers?. 2. Individuals must self-certify that they are unemployed, partially unemployed, or unable or unavailable to work due to one of the COVID19 related reasons identified in Section 2102(a)(3)(A)(ii)(I) of the CARES Act and in Departmental guidance (UIPL 16-20 and Attachment I, Section C.1. of UIPL 16-20, Change 4). Because this eligibility is based on self-certification, states may only request supporting documentation if they have reasonable suspicions of fraud (question 23 of Attachment I to UIPL No. 16-20, Change 2). 3. Additionally, individuals who are paid on or after December 27, 2020, must submit proof of documentation substantiating employment, self-employment, or the planned commencement of employment or self-employment (see Attachment I, Section C.2. of UIPL No. 16-20, Change 4). This includes individuals requesting retroactive payments that are not received until after December 27, 2020. Condition: DLT?s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT estimated another $10 million in fraudulent claims were paid in fiscal 2022 prior to the end of expanded benefits in September 2021. DLT implemented additional measures since the commencement of the enhanced federal benefits which aided fraud prevention but did not fully eliminate such activities. The decreased rate of fraudulent benefits in fiscal 2022 was a significant improvement over fiscal 2021 and a direct result of fraud prevention procedures implemented by the DLT. The federal government required (effective in December 2020) stricter documentation requirements of income provisions for self-employed individuals; however, most claimants did not provide the required documentation and benefits continued. In a sample of 60 UI and PUA claimants, of which 41 (68%) were UI and 19 (32%) were PUA, our testing found that 19 of 19 (100%) claimants receiving PUA payments after December 27, 2020, provided no evidence of employment status or self-employment income as required by federal regulations. Sampled benefits missing the required documentation totaled $90,669. DLT?s failure to obtain the required documentation for a significant percentage of unemployment benefits awarded under PUA is considered material noncompliance with eligibility requirements for fiscal 2022. In some limited instances, claw back of amounts (approximating $3.7 million) paid to fraudulent beneficiaries were made. About $2 million of this was returned to the Treasury. DLT has lagged in determining the funding source of the remaining amounts ($1.7 million) resulting in a delay in crediting applicable amounts to the appropriate federal award, when applicable. Beyond the above control considerations, DLT?s current mainframe system has reached end-of-life and poses significant business continuity risks to unemployment insurance benefit operations. Cause: The large volume of claims stressed an outdated system and the unprecedented economic impact warranted rapid processing of claims. The rapid implementation of new unemployment benefit programs authorized by the CARES Act did not allow sufficient time to employ wage verification and other procedures. Other procedures to verify client identity, prior wages and overall eligibility were also weakened due to the unprecedented volume of claims and new procedures employed to expedite benefit payments. Lastly, the substantial increase in fraudulent claims activity is largely considered to be the result of sustained and targeted efforts impacting many states. When fraudulent benefits are successfully clawed-back or collected, the funding source for that benefit must be investigated and determined. The investigation and accounting for these amounts has lagged and was still pending at June 30, 2022. Claimant documentation requirements for the PUA program were not enforced during fiscal 2022. Effect: Fraudulent unemployment insurance claims have been paid and DLT?s systems require further enhancements to timely identify fraudulent benefit claims prior to disbursement. DLT remains at a critical juncture in developing a strategy to upgrade and modernize its unemployment insurance claims processing systems while ensuring compliance with federal program requirements including the prevention and detection of fraudulent benefit payments. The federal grantor has not yet been credited for their share of fraud recoveries. Failure to comply with documentation requirements for the PUA program resulted in material noncompliance with federal requirements for the disbursement and claiming of those unemployment benefits. Questioned Costs: $90,669 Valid Statistical Sampling: Yes RECOMMENDATIONS 2022-041a Implement a strategic plan to address the required modernization of the unemployment benefit claims processing system. The modernization should include strengthening controls to prevent fraudulent benefit payments. 2022-041b Research recoveries of overpayments or fraudulent payments and credit the federal government (appropriate federal award) for amounts recovered.
UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY ? BENEFIT OVERPAYMENTS The Department of Labor and Training (DLT) did not make the necessary changes to its system to allow for the imposition of penalties on overpayments due to fraud, and to prohibit relief from charges to an employer?s Unemployment Compensation (UC) account when the overpayment was the result of the employer?s failure to respond timely or adequately to a request for information. Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 percent) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State?s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer?s UC account when overpayments are the result of the employer?s failure to respond timely or adequately to a request for information. Pub. L. No. 112-40, enacted on October 21, 2011, and effective October 21, 2013, amended sections 303(a) and 453A of the Social Security Act and sections 3303, 3304, and 3309 of the Federal Employment Tax Act (FUTA) to improve program integrity and reduce overpayments. (See UIPL Nos. 02-12, and 02-12, Change 1). In compliance with federal law, the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28-42- 62.1(a)(4)) and a prohibition on relieving the employer?s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a request of the department for information relating to the claim (RIGL 28-43-3(2)(viii)). Condition: We had previously found that the State was not properly identifying and handling overpayments, including, as applicable, assessment of the 15% penalty on claimants who commit fraud, and not relieving an employer?s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. Overpayments must be established and communicated to the recipient to initiate collection. Cause: Due to the increased fraudulent activity in UI claims, the department was unable to keep up with the establishment of overpayments due to claimant fraud. DLT management had previously advised us they were programming the existing benefit system to impose penalties for overpayments due to fraud. This programming change was not made in fiscal 2022. Effect: Noncompliance with federal and State laws as well as lost revenue on penalties not assessed. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-042 Adopt procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer?s failure to respond timely or adequately to a request for information by the State agency (RIGL 28-43-3(2)(viii)).
UNEMPLOYMENT INSURANCE PROGRAM REPORTING The Department of Labor and Training (DLT) did not submit all of its required reports on time. In several instances, the person preparing the report also submits the report, meaning there is no secondary review before submission. Criteria: U.S. Department of Labor?s Employment and Training Administration (ETA) administers federal government job training and worker dislocation programs, federal grants to states for public employment service programs, and unemployment insurance benefits. Management is responsible for establishing and maintaining effective internal controls to produce and submit ETA reports in accordance with ETA?s Office requirements. - For ETA 9130, the report is due 45 days after the end of the quarter. - For ETA 2112, the report is due the 1st day of the second month following the month of reference and will be transmitted electronically. - For ETA 9050, 9052, and 9055, the report is due to the ETA National Office on the 20th of the month following the month to which the data relates. This report will be transmitted electronically. - ETA 2208A, the report is due 7 days after the end of the quarter. Condition: DLT?s internal control procedures were not sufficiently effective to ensure that ETA reports were submitted timely and that a secondary review was performed to ensure accuracy. DLT is responsible for submitting ETA reports monthly (ETA reports 2112, 9050, 9052, 9055) and quarterly (ETA reports 9130, 191, and 2208A). We tested a total of 26 submissions of the ETA reports. - 8 of 26 (31%) reports tested were submitted past the due date. - 16 of 26 (62%) reports tested the were not signed by a manager. In the case of four of these ETA reports, the preparer and the reviewer appear to be the same person. Cause: DLT has failed to segregate duties regarding preparation and review/submission of reports. Effect: Noncompliance with reporting deadlines. Errors in reports could go undetected without proper review. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-043 Implement procedures for a secondary review of all reports submitted. Establish deadlines for preparation and review to ensure timely submission.
CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS See related Financial Statement Finding 2022-002. Controls over the processing of unemployment insurance claims were ineffective to sufficiently prevent fraudulent unemployment insurance benefit payments. Controls were also ineffective to ensure compliance with the documentation of self-employment income for the Pandemic Unemployment Assistance (PUA) program. Background: Since the start of the pandemic, the Department of Labor and Training (DLT) disbursed more than $2.7 billion in unemployment insurance benefits. In response to the COVID-19 pandemic, the federal Coronavirus Aid, Relief, and Economic Security (CARES) Act expanded and/or extended unemployment insurance benefits, including providing new benefits to self-employed individuals and independent contractors. Fraudulent claims for unemployment insurance benefits also increased rapidly, concurrent with the overall increase in claims due to the pandemic. This unprecedented increase in fraudulent claims was experienced nationwide and was not unique to Rhode Island. Expanded pandemic unemployment benefits continued during fiscal 2022, through September 2021, exceeding $300 million. The system used by DLT to process unemployment insurance (UI) benefits utilizes outdated technology. This legacy system is mainframe based and programmed in COBOL. In response to the pandemic-related surge in unemployment insurance claims, new ?cloud-based? technologies were rapidly deployed to facilitate processing the volume of claims and interactions with claimants; however, the primary claims processing functions were still performed by the legacy system. Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with federal program guidelines including appropriate procedures to prevent and detect fraudulent payments. Collections on overpayments due to error or fraud must be reported and credited to the appropriate federal award that funded the unemployment insurance benefit. The PUA program was created under the CARES Act to provide benefits to self-employed individuals who were previously ineligible for traditional unemployment insurance benefits. A ?covered individual? is someone who meets each of the following three conditions: 1. The individual is not eligible for regular Unemployment Compensation, Extended Benefits, or Pandemic Emergency Unemployment Compensation. This also includes those who have exhausted all rights to such benefits, self-employed, those seeking part-time employment, individuals lacking sufficient work history. Self-employed individuals include independent contractors and ?gig economy workers?. 2. Individuals must self-certify that they are unemployed, partially unemployed, or unable or unavailable to work due to one of the COVID19 related reasons identified in Section 2102(a)(3)(A)(ii)(I) of the CARES Act and in Departmental guidance (UIPL 16-20 and Attachment I, Section C.1. of UIPL 16-20, Change 4). Because this eligibility is based on self-certification, states may only request supporting documentation if they have reasonable suspicions of fraud (question 23 of Attachment I to UIPL No. 16-20, Change 2). 3. Additionally, individuals who are paid on or after December 27, 2020, must submit proof of documentation substantiating employment, self-employment, or the planned commencement of employment or self-employment (see Attachment I, Section C.2. of UIPL No. 16-20, Change 4). This includes individuals requesting retroactive payments that are not received until after December 27, 2020. Condition: DLT?s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT estimated another $10 million in fraudulent claims were paid in fiscal 2022 prior to the end of expanded benefits in September 2021. DLT implemented additional measures since the commencement of the enhanced federal benefits which aided fraud prevention but did not fully eliminate such activities. The decreased rate of fraudulent benefits in fiscal 2022 was a significant improvement over fiscal 2021 and a direct result of fraud prevention procedures implemented by the DLT. The federal government required (effective in December 2020) stricter documentation requirements of income provisions for self-employed individuals; however, most claimants did not provide the required documentation and benefits continued. In a sample of 60 UI and PUA claimants, of which 41 (68%) were UI and 19 (32%) were PUA, our testing found that 19 of 19 (100%) claimants receiving PUA payments after December 27, 2020, provided no evidence of employment status or self-employment income as required by federal regulations. Sampled benefits missing the required documentation totaled $90,669. DLT?s failure to obtain the required documentation for a significant percentage of unemployment benefits awarded under PUA is considered material noncompliance with eligibility requirements for fiscal 2022. In some limited instances, claw back of amounts (approximating $3.7 million) paid to fraudulent beneficiaries were made. About $2 million of this was returned to the Treasury. DLT has lagged in determining the funding source of the remaining amounts ($1.7 million) resulting in a delay in crediting applicable amounts to the appropriate federal award, when applicable. Beyond the above control considerations, DLT?s current mainframe system has reached end-of-life and poses significant business continuity risks to unemployment insurance benefit operations. Cause: The large volume of claims stressed an outdated system and the unprecedented economic impact warranted rapid processing of claims. The rapid implementation of new unemployment benefit programs authorized by the CARES Act did not allow sufficient time to employ wage verification and other procedures. Other procedures to verify client identity, prior wages and overall eligibility were also weakened due to the unprecedented volume of claims and new procedures employed to expedite benefit payments. Lastly, the substantial increase in fraudulent claims activity is largely considered to be the result of sustained and targeted efforts impacting many states. When fraudulent benefits are successfully clawed-back or collected, the funding source for that benefit must be investigated and determined. The investigation and accounting for these amounts has lagged and was still pending at June 30, 2022. Claimant documentation requirements for the PUA program were not enforced during fiscal 2022. Effect: Fraudulent unemployment insurance claims have been paid and DLT?s systems require further enhancements to timely identify fraudulent benefit claims prior to disbursement. DLT remains at a critical juncture in developing a strategy to upgrade and modernize its unemployment insurance claims processing systems while ensuring compliance with federal program requirements including the prevention and detection of fraudulent benefit payments. The federal grantor has not yet been credited for their share of fraud recoveries. Failure to comply with documentation requirements for the PUA program resulted in material noncompliance with federal requirements for the disbursement and claiming of those unemployment benefits. Questioned Costs: $90,669 Valid Statistical Sampling: Yes RECOMMENDATIONS 2022-041a Implement a strategic plan to address the required modernization of the unemployment benefit claims processing system. The modernization should include strengthening controls to prevent fraudulent benefit payments. 2022-041b Research recoveries of overpayments or fraudulent payments and credit the federal government (appropriate federal award) for amounts recovered.
UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY ? BENEFIT OVERPAYMENTS The Department of Labor and Training (DLT) did not make the necessary changes to its system to allow for the imposition of penalties on overpayments due to fraud, and to prohibit relief from charges to an employer?s Unemployment Compensation (UC) account when the overpayment was the result of the employer?s failure to respond timely or adequately to a request for information. Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 percent) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State?s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer?s UC account when overpayments are the result of the employer?s failure to respond timely or adequately to a request for information. Pub. L. No. 112-40, enacted on October 21, 2011, and effective October 21, 2013, amended sections 303(a) and 453A of the Social Security Act and sections 3303, 3304, and 3309 of the Federal Employment Tax Act (FUTA) to improve program integrity and reduce overpayments. (See UIPL Nos. 02-12, and 02-12, Change 1). In compliance with federal law, the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28-42- 62.1(a)(4)) and a prohibition on relieving the employer?s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a request of the department for information relating to the claim (RIGL 28-43-3(2)(viii)). Condition: We had previously found that the State was not properly identifying and handling overpayments, including, as applicable, assessment of the 15% penalty on claimants who commit fraud, and not relieving an employer?s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. Overpayments must be established and communicated to the recipient to initiate collection. Cause: Due to the increased fraudulent activity in UI claims, the department was unable to keep up with the establishment of overpayments due to claimant fraud. DLT management had previously advised us they were programming the existing benefit system to impose penalties for overpayments due to fraud. This programming change was not made in fiscal 2022. Effect: Noncompliance with federal and State laws as well as lost revenue on penalties not assessed. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-042 Adopt procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer?s failure to respond timely or adequately to a request for information by the State agency (RIGL 28-43-3(2)(viii)).
UNEMPLOYMENT INSURANCE PROGRAM REPORTING The Department of Labor and Training (DLT) did not submit all of its required reports on time. In several instances, the person preparing the report also submits the report, meaning there is no secondary review before submission. Criteria: U.S. Department of Labor?s Employment and Training Administration (ETA) administers federal government job training and worker dislocation programs, federal grants to states for public employment service programs, and unemployment insurance benefits. Management is responsible for establishing and maintaining effective internal controls to produce and submit ETA reports in accordance with ETA?s Office requirements. - For ETA 9130, the report is due 45 days after the end of the quarter. - For ETA 2112, the report is due the 1st day of the second month following the month of reference and will be transmitted electronically. - For ETA 9050, 9052, and 9055, the report is due to the ETA National Office on the 20th of the month following the month to which the data relates. This report will be transmitted electronically. - ETA 2208A, the report is due 7 days after the end of the quarter. Condition: DLT?s internal control procedures were not sufficiently effective to ensure that ETA reports were submitted timely and that a secondary review was performed to ensure accuracy. DLT is responsible for submitting ETA reports monthly (ETA reports 2112, 9050, 9052, 9055) and quarterly (ETA reports 9130, 191, and 2208A). We tested a total of 26 submissions of the ETA reports. - 8 of 26 (31%) reports tested were submitted past the due date. - 16 of 26 (62%) reports tested the were not signed by a manager. In the case of four of these ETA reports, the preparer and the reviewer appear to be the same person. Cause: DLT has failed to segregate duties regarding preparation and review/submission of reports. Effect: Noncompliance with reporting deadlines. Errors in reports could go undetected without proper review. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-043 Implement procedures for a secondary review of all reports submitted. Establish deadlines for preparation and review to ensure timely submission.
RHODE ISLAND PUBLIC TRANSIT AUTHORITY ? ALLOWABLE COSTS ? CARES ACT Criteria: The grant awards include CARES Act emergency relief operating assistance, which is available for all operating activities (net of fare revenues and other operating reimbursements) incurred on or after January 20, 2020 for fixed route, demand response, ADA paratransit and shuttle services. The operating expense reimbursement should be determined and documented in accordance with Uniform Guidance (2 CFR 200) Subpart E ? Cost Principles and FTA Circular 9030.1E including the requirement that costs be accounted for in accordance with generally accepted accounting principles and be adequately documented. Condition: During our test of internal controls, we noted that costs related to three operating expense reimbursements were determined for a period using fixed route statistics which included average costs per mile and hour, less preventative maintenance and farebox recovery. We also noted that documentation for three operating expense reimbursements for a period included only the payroll reports for fixed route drivers plus benefits, calculated using a fringe benefit percentage rate, and there was no documentation that fare revenues and other operating reimbursements had been deducted from the operating expense reimbursement. Cause: The Rhode Island Public Transit Authority did not account for CARES Act operating expense reimbursements in accordance with generally accepted accounting principles and did not adequately document CARES Act operating expense reimbursements. Effect: The Rhode Island Public Transit Authority has not accounted for and documented CARES Act operating expense reimbursement in accordance with Uniform Guidance (2 CFR 200) Subpart E ? Cost Principles and FTA Circular 9030.1E. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-044 We recommend that CARES Act operating expense reimbursements be prepared utilizing the Authority?s general ledger which is prepared in accordance with generally accepted accounting principles and documented using a worksheet prepared in accordance with FTA Circular 9030.1E, that excludes ineligible costs and deducts fares and other operating expense reimbursements.
RHODE ISLAND PUBLIC TRANSIT AUTHORITY ? ALLOWABLE COSTS Criteria: The Authority is responsible for establishing and maintaining effective internal controls over compliance with requirements of laws, regulations, contracts and grant agreements applicable to federal award programs. In addition, cost principles require that charges to federal award programs be supported by appropriate documentation including applying the proper reimbursement percentage based on the contract. Condition: We noted that costs related to two operating expense reimbursements were processed using the incorrect reimbursement rate based on the grant agreement. Cause: The Rhode Island Public Transit Authority applied the incorrect reimbursement rate on two invoices within our sample. Effect: The Rhode Island Public Transit Authority has not properly applied the reimbursement rate noted in the grant agreement. Questioned Costs: $213,099 Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-045 We recommend that the Authority develop a control to ensure that the proper reimbursement rates are being applied in relation to the specific grants that funding is being requested from.
RHODE ISLAND PUBLIC TRANSIT AUTHORITY ? ALLOWABLE COSTS ? CARES ACT Criteria: The grant awards include CARES Act emergency relief operating assistance, which is available for all operating activities (net of fare revenues and other operating reimbursements) incurred on or after January 20, 2020 for fixed route, demand response, ADA paratransit and shuttle services. The operating expense reimbursement should be determined and documented in accordance with Uniform Guidance (2 CFR 200) Subpart E ? Cost Principles and FTA Circular 9030.1E including the requirement that costs be accounted for in accordance with generally accepted accounting principles and be adequately documented. Condition: During our test of internal controls, we noted that costs related to three operating expense reimbursements were determined for a period using fixed route statistics which included average costs per mile and hour, less preventative maintenance and farebox recovery. We also noted that documentation for three operating expense reimbursements for a period included only the payroll reports for fixed route drivers plus benefits, calculated using a fringe benefit percentage rate, and there was no documentation that fare revenues and other operating reimbursements had been deducted from the operating expense reimbursement. Cause: The Rhode Island Public Transit Authority did not account for CARES Act operating expense reimbursements in accordance with generally accepted accounting principles and did not adequately document CARES Act operating expense reimbursements. Effect: The Rhode Island Public Transit Authority has not accounted for and documented CARES Act operating expense reimbursement in accordance with Uniform Guidance (2 CFR 200) Subpart E ? Cost Principles and FTA Circular 9030.1E. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-044 We recommend that CARES Act operating expense reimbursements be prepared utilizing the Authority?s general ledger which is prepared in accordance with generally accepted accounting principles and documented using a worksheet prepared in accordance with FTA Circular 9030.1E, that excludes ineligible costs and deducts fares and other operating expense reimbursements.
RHODE ISLAND PUBLIC TRANSIT AUTHORITY ? ALLOWABLE COSTS Criteria: The Authority is responsible for establishing and maintaining effective internal controls over compliance with requirements of laws, regulations, contracts and grant agreements applicable to federal award programs. In addition, cost principles require that charges to federal award programs be supported by appropriate documentation including applying the proper reimbursement percentage based on the contract. Condition: We noted that costs related to two operating expense reimbursements were processed using the incorrect reimbursement rate based on the grant agreement. Cause: The Rhode Island Public Transit Authority applied the incorrect reimbursement rate on two invoices within our sample. Effect: The Rhode Island Public Transit Authority has not properly applied the reimbursement rate noted in the grant agreement. Questioned Costs: $213,099 Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-045 We recommend that the Authority develop a control to ensure that the proper reimbursement rates are being applied in relation to the specific grants that funding is being requested from.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
LEVEL OF EFFORT ? MAINTENANCE OF EFFORT (MOE) RIDOT does not have documentation supporting compliance with the Level of Effort ? Maintenance of Effort (MOE) requirement. The Department needs to establish an internal control structure to ensure compliance. Criteria: The State and Community Highway Safety program (Assistance Listing 20.600) and the National Priority Safety program (Assistance Listing 20.616), as authorized by the FAST Act, require that a state must maintain its aggregate expenditures from all other sources at or above the average level of such expenditures in fiscal years 2014 and 2015 for activities for Occupant Protection, State Traffic Safety Information System Improvements, and Impaired Driving Countermeasures (23 USC 405(a)(1)(H); 23 CFR sections 1200.21(d)(5), 1200.22(f), and 1200.23(d)(2), 1300.21(d)(5), 1300.22(c), and 1300.23(d)(2)). Condition: The Department was unable to provide documentation supporting the amounts identified as nonfederal expenditures for the base years of 2014 and 2015. The Department has identified a large pool of funds, State Police Highway Patrol salaries, to support compliance with the MOE requirements, however, there is no documentation supporting how or which salaries are being used to meet the specific requirements. Cause: RIDOT did not have adequate policies and procedures in place to document compliance with MOE. Effect: Potential noncompliance with federal rules and regulations regarding Maintenance of Effort. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-046 Establish policies and procedures to document compliance with Maintenance of Effort. Maintain adequate detailed supporting documentation to support compliance with related Level of Effort requirements.
EARMARKING Controls over earmarking can be enhanced to ensure compliance with Federal requirements. Criteria: At least 40 percent of federal funds apportioned to a state under State and Community Highway Safety (20.600) for any fiscal year shall be expended by or for the political subdivisions of the state in carrying out local highway safety programs (23 USC 402(b)(1)(C); 23 CFR Part 1200, Appendix E and 1300 Appendix C). Condition: State and Community Highway Safety funds passed through to political subdivisions (i.e., cities and towns) only accounted for 21% of the federal funds apportioned to the State. Cause: The Department contends that the 40% requirement should be based on amounts expended by all subrecipients which includes organizations that do not meet the definition of political subdivision, for example non-profit organizations. Effect: Noncompliance with federal rules and regulations regarding earmarking. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-047 Establish policies and procedures to ensure compliance with the earmarking requirement that no less than 40% of highway safety federal program funds are expended by or for political subdivisions of the State.
PERIOD OF PERFORMANCE Controls over period of performance can be enhanced to ensure compliance with Federal requirements. Criteria: The Highway Safety Cluster period of performance requirements are spelled out in 23 CFR 1300.41 as follows: ? Paragraph (b)(1) ?except as provided in paragraph (b)(2) of this section, unexpended grant funds shall not be available for expenditure beyond the period of three years after the last day of the fiscal year of apportionment or allocation.? ? Paragraph (b)(2) ?States may commit such unexpended grant funds to a specific project by the specified deadline, and shall provide documentary evidence of that commitment, including a copy of an executed project agreement, to the Regional Administrator.? ? Paragraph (b)(3) ?Grant funds committed to a specific project in accordance with paragraph (b)(2) of this section shall remain committed to that project and must be expended by the end of the succeeding fiscal year. The final voucher for that project shall be submitted within 120 days after the end of that fiscal year.? Condition: RIDOT was unable to provide documentation supporting its compliance with period of performance requirements. Federal awards lost their apportionment or allocation year identified within the Department when carried forward. We performed an analysis (in conjunction with reviewing the Obligation Limitation Report to ensure expired appropriations were not carried forward) that concluded the State materially complied with the period of performance requirement paragraph (b)(1) cited above, however, the lack of documentation prevented an assessment of the applicability of other period of performance compliance requirements (paragraphs (b)(2) and (3)). Cause: The Department does not have policies and procedures to ensure compliance with period of performance. Expenditures are not tracked by federal fiscal award year. Effect: Increased risk of noncompliance. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-048 Develop policies and procedures to document compliance with period of performance requirements.
REPORTING OF PROGRAM EXPENDITURES The Department was unable to provide documentation supporting the amounts reported in the Highway Safety Plan Cost Summary and Federal Reimbursement Voucher reports. The Department?s current program accounting also results in program expenditures being duplicated in the State?s accounting system and Schedule of Expenditures of Federal Awards (SEFA). Criteria: HS Form 217 ? 23 CFR section 1200.11(e) states ?HS Form 217, meeting the requirements of Appendix B, be completed to reflect the State's proposed allocations of funds (including carry-forward funds) by program area. The funding level used shall be an estimate of available funding for the upcoming fiscal year based on amounts authorized for the fiscal year and projected carry-forward funds. Additionally, for each program area, an accompanying list of projects that the State proposes to conduct for that fiscal year and an estimated amount of Federal funds for each such project.? Federal Reimbursement Voucher ? 23 CFR 1200.33 states ?Each State shall submit official vouchers for expenses incurred to the Approving Official. At a minimum, each voucher shall provide the following information for expenses claimed in each program area: (1) Program Area for which expenses were incurred and an itemization of project numbers and amount of Federal funds expended for each project for which reimbursement is being sought; (2) Federal funds obligated; (3) Amount of Federal funds allocated to local benefit (provided no less than mid-year (by March 31) and with the final voucher); (4) Cumulative Total Cost to Date; (5) Cumulative Federal Funds Expended; (6) Previous Amount Claimed; (7) Amount Claimed this Period; (8) Matching rate (or special matching writeoff used, i.e., sliding scale rate authorized under 23 U.S.C. 120).? 2 CFR 200.510(b) Schedule of expenditures of Federal awards. ?The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee's financial statements which must include the total Federal awards expended as determined in accordance with ? 200.502.? Condition: HS Form 217 ? RIDOT was unable to provide documentation supporting information included in the Highway Safety Plan Cost Summary report for 18 of the 25 projects tested, as follows (it should be noted that 3 projects are included in more than one error category): ? 8 projects included on the report were not included in the Highway Safety Plan; ? 6 projects? budget amounts included in the Highway Safety Plan Cost Summary report did not agree to supporting documentation; ? 7 projects State and/or Local share amounts did not agree to supporting documentation. Federal Reimbursement Voucher ? RIDOT was unable to provide documentation supporting amounts reported for; a.) HCS (Highway Cost Summary) Federal Funds Obligated, b.) Share to Local Benefit, and c.) State/Federal Cost to Date on the Federal Reimbursement Voucher for all 25 projects tested. Highway safety grants are expended by multiple departments within the State, namely the Attorney General?s Office, Department of Public Safety, Department of Health and RIDOT. Those departments record expenditures to federal accounts linked to HSC within the State?s accounting system (RIFANS) and then provide backup documentation to RIDOT for reimbursement. RIDOT then records those same expenditures within its Financial Management System (FMS) and RIFANS, as subrecipient payments, causing the expenditures to be duplicated in the State?s accounting system and Schedule of Expenditures of Federal Awards (SEFA) in an amount approximating $581,665. HSC expenditures were not duplicated on federal reports because RIDOT uses its FMS to report and claim HSC expenditures. Cause: RIDOT?s policies and procedures are not adequate to ensure the accurate completion of the Highway Safety Plan Cost Summary report. RIDOT?s use of multiple accounting systems to meet operational and financial reporting objectives results in unnecessary complexity and control weaknesses. Effect: Information provided to the National Highway Traffic Safety Administration may not be accurate. Inaccurate reporting of program expenditures in the State?s SEFA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-049a Enhance reporting policies and procedures over the completion and submission of the Highway Safety Plan Cost Summary (HS Form 217). Verify the amounts submitted are accurate and if necessary, resubmit with accurate and supported amounts. 2022-049b Enhance reporting policies and procedures over the completion and submission of the Federal Reimbursement Voucher report. 2022-049c Enhance controls and address current deficiencies in accounting procedures to ensure program expenditure within the State?s reporting entity are reported accurately on the SEFA.
SUBRECIPIENT MONITORING The Department?s internal control structure does not ensure all subrecipients are monitored in accordance with federal requirements. Criteria: All pass-through entities must monitor subrecipients to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved (2 CFR 200.332(d) through (f)). A pass-through entity (PTE) is responsible for: During-the-Award Monitoring ? Monitoring the activities of the subrecipient (through reporting, site visits, regular contact or other means) as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f)). Subaward monitoring must include the following: 1. Reviewing financial and programmatic (performance and special) reports required by the PTE. 2. Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the PTE detected through audits, on-site reviews, and other means. 3. Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the PTE as required by 2 CFR section 200.521. The PTE must verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 2 CFR section 200.501 (2 CFR section 200.332(f)). Federal award recipients must determine whether each agreement entered into for the disbursement of federal program funds casts the entity receiving the funds in the role of a subrecipient or a contractor based on the following definitions (2 CFR 200.331): ? A subrecipient receives federal funds from a non-federal entity to carry out part of a federal program. The legal agreement between the two parties creates a federal assistance relationship commonly known as a sub-award. ? A contractor is an entity (dealer, distributor, merchant or other seller) who has a legal agreement with a non-federal entity to provide goods and services needed to carry out the program under the federal award. Condition: RIDOT passes federal awards through to many organization types, including municipalities, non-profits, and colleges/universities. The Department did not have documentation supporting the monitoring of three subrecipients, two of which are non-profits and one of which is a university. The Department did not review the audit reports for six subrecipients or have any documentation supporting its determination as to whether the subrecipients were required to have an audit as required by 2 CFR 200 subpart F. RIDOT identified three vendors providing goods or services to the department as subrecipients. Cause: Policies, procedures and established controls do not encompass all federal requirements. Effect: Monitoring controls and procedures may be insufficient to ensure that subrecipients are complying with applicable program regulations and requirements. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-050 Enhance policies, procedures, and controls over subrecipient monitoring to ensure compliance with 2 CFR sections 200.332(d) through (f).
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
LEVEL OF EFFORT ? MAINTENANCE OF EFFORT (MOE) RIDOT does not have documentation supporting compliance with the Level of Effort ? Maintenance of Effort (MOE) requirement. The Department needs to establish an internal control structure to ensure compliance. Criteria: The State and Community Highway Safety program (Assistance Listing 20.600) and the National Priority Safety program (Assistance Listing 20.616), as authorized by the FAST Act, require that a state must maintain its aggregate expenditures from all other sources at or above the average level of such expenditures in fiscal years 2014 and 2015 for activities for Occupant Protection, State Traffic Safety Information System Improvements, and Impaired Driving Countermeasures (23 USC 405(a)(1)(H); 23 CFR sections 1200.21(d)(5), 1200.22(f), and 1200.23(d)(2), 1300.21(d)(5), 1300.22(c), and 1300.23(d)(2)). Condition: The Department was unable to provide documentation supporting the amounts identified as nonfederal expenditures for the base years of 2014 and 2015. The Department has identified a large pool of funds, State Police Highway Patrol salaries, to support compliance with the MOE requirements, however, there is no documentation supporting how or which salaries are being used to meet the specific requirements. Cause: RIDOT did not have adequate policies and procedures in place to document compliance with MOE. Effect: Potential noncompliance with federal rules and regulations regarding Maintenance of Effort. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-046 Establish policies and procedures to document compliance with Maintenance of Effort. Maintain adequate detailed supporting documentation to support compliance with related Level of Effort requirements.
PERIOD OF PERFORMANCE Controls over period of performance can be enhanced to ensure compliance with Federal requirements. Criteria: The Highway Safety Cluster period of performance requirements are spelled out in 23 CFR 1300.41 as follows: ? Paragraph (b)(1) ?except as provided in paragraph (b)(2) of this section, unexpended grant funds shall not be available for expenditure beyond the period of three years after the last day of the fiscal year of apportionment or allocation.? ? Paragraph (b)(2) ?States may commit such unexpended grant funds to a specific project by the specified deadline, and shall provide documentary evidence of that commitment, including a copy of an executed project agreement, to the Regional Administrator.? ? Paragraph (b)(3) ?Grant funds committed to a specific project in accordance with paragraph (b)(2) of this section shall remain committed to that project and must be expended by the end of the succeeding fiscal year. The final voucher for that project shall be submitted within 120 days after the end of that fiscal year.? Condition: RIDOT was unable to provide documentation supporting its compliance with period of performance requirements. Federal awards lost their apportionment or allocation year identified within the Department when carried forward. We performed an analysis (in conjunction with reviewing the Obligation Limitation Report to ensure expired appropriations were not carried forward) that concluded the State materially complied with the period of performance requirement paragraph (b)(1) cited above, however, the lack of documentation prevented an assessment of the applicability of other period of performance compliance requirements (paragraphs (b)(2) and (3)). Cause: The Department does not have policies and procedures to ensure compliance with period of performance. Expenditures are not tracked by federal fiscal award year. Effect: Increased risk of noncompliance. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-048 Develop policies and procedures to document compliance with period of performance requirements.
REPORTING OF PROGRAM EXPENDITURES The Department was unable to provide documentation supporting the amounts reported in the Highway Safety Plan Cost Summary and Federal Reimbursement Voucher reports. The Department?s current program accounting also results in program expenditures being duplicated in the State?s accounting system and Schedule of Expenditures of Federal Awards (SEFA). Criteria: HS Form 217 ? 23 CFR section 1200.11(e) states ?HS Form 217, meeting the requirements of Appendix B, be completed to reflect the State's proposed allocations of funds (including carry-forward funds) by program area. The funding level used shall be an estimate of available funding for the upcoming fiscal year based on amounts authorized for the fiscal year and projected carry-forward funds. Additionally, for each program area, an accompanying list of projects that the State proposes to conduct for that fiscal year and an estimated amount of Federal funds for each such project.? Federal Reimbursement Voucher ? 23 CFR 1200.33 states ?Each State shall submit official vouchers for expenses incurred to the Approving Official. At a minimum, each voucher shall provide the following information for expenses claimed in each program area: (1) Program Area for which expenses were incurred and an itemization of project numbers and amount of Federal funds expended for each project for which reimbursement is being sought; (2) Federal funds obligated; (3) Amount of Federal funds allocated to local benefit (provided no less than mid-year (by March 31) and with the final voucher); (4) Cumulative Total Cost to Date; (5) Cumulative Federal Funds Expended; (6) Previous Amount Claimed; (7) Amount Claimed this Period; (8) Matching rate (or special matching writeoff used, i.e., sliding scale rate authorized under 23 U.S.C. 120).? 2 CFR 200.510(b) Schedule of expenditures of Federal awards. ?The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee's financial statements which must include the total Federal awards expended as determined in accordance with ? 200.502.? Condition: HS Form 217 ? RIDOT was unable to provide documentation supporting information included in the Highway Safety Plan Cost Summary report for 18 of the 25 projects tested, as follows (it should be noted that 3 projects are included in more than one error category): ? 8 projects included on the report were not included in the Highway Safety Plan; ? 6 projects? budget amounts included in the Highway Safety Plan Cost Summary report did not agree to supporting documentation; ? 7 projects State and/or Local share amounts did not agree to supporting documentation. Federal Reimbursement Voucher ? RIDOT was unable to provide documentation supporting amounts reported for; a.) HCS (Highway Cost Summary) Federal Funds Obligated, b.) Share to Local Benefit, and c.) State/Federal Cost to Date on the Federal Reimbursement Voucher for all 25 projects tested. Highway safety grants are expended by multiple departments within the State, namely the Attorney General?s Office, Department of Public Safety, Department of Health and RIDOT. Those departments record expenditures to federal accounts linked to HSC within the State?s accounting system (RIFANS) and then provide backup documentation to RIDOT for reimbursement. RIDOT then records those same expenditures within its Financial Management System (FMS) and RIFANS, as subrecipient payments, causing the expenditures to be duplicated in the State?s accounting system and Schedule of Expenditures of Federal Awards (SEFA) in an amount approximating $581,665. HSC expenditures were not duplicated on federal reports because RIDOT uses its FMS to report and claim HSC expenditures. Cause: RIDOT?s policies and procedures are not adequate to ensure the accurate completion of the Highway Safety Plan Cost Summary report. RIDOT?s use of multiple accounting systems to meet operational and financial reporting objectives results in unnecessary complexity and control weaknesses. Effect: Information provided to the National Highway Traffic Safety Administration may not be accurate. Inaccurate reporting of program expenditures in the State?s SEFA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-049a Enhance reporting policies and procedures over the completion and submission of the Highway Safety Plan Cost Summary (HS Form 217). Verify the amounts submitted are accurate and if necessary, resubmit with accurate and supported amounts. 2022-049b Enhance reporting policies and procedures over the completion and submission of the Federal Reimbursement Voucher report. 2022-049c Enhance controls and address current deficiencies in accounting procedures to ensure program expenditure within the State?s reporting entity are reported accurately on the SEFA.
SUBRECIPIENT MONITORING The Department?s internal control structure does not ensure all subrecipients are monitored in accordance with federal requirements. Criteria: All pass-through entities must monitor subrecipients to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved (2 CFR 200.332(d) through (f)). A pass-through entity (PTE) is responsible for: During-the-Award Monitoring ? Monitoring the activities of the subrecipient (through reporting, site visits, regular contact or other means) as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f)). Subaward monitoring must include the following: 1. Reviewing financial and programmatic (performance and special) reports required by the PTE. 2. Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the PTE detected through audits, on-site reviews, and other means. 3. Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the PTE as required by 2 CFR section 200.521. The PTE must verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 2 CFR section 200.501 (2 CFR section 200.332(f)). Federal award recipients must determine whether each agreement entered into for the disbursement of federal program funds casts the entity receiving the funds in the role of a subrecipient or a contractor based on the following definitions (2 CFR 200.331): ? A subrecipient receives federal funds from a non-federal entity to carry out part of a federal program. The legal agreement between the two parties creates a federal assistance relationship commonly known as a sub-award. ? A contractor is an entity (dealer, distributor, merchant or other seller) who has a legal agreement with a non-federal entity to provide goods and services needed to carry out the program under the federal award. Condition: RIDOT passes federal awards through to many organization types, including municipalities, non-profits, and colleges/universities. The Department did not have documentation supporting the monitoring of three subrecipients, two of which are non-profits and one of which is a university. The Department did not review the audit reports for six subrecipients or have any documentation supporting its determination as to whether the subrecipients were required to have an audit as required by 2 CFR 200 subpart F. RIDOT identified three vendors providing goods or services to the department as subrecipients. Cause: Policies, procedures and established controls do not encompass all federal requirements. Effect: Monitoring controls and procedures may be insufficient to ensure that subrecipients are complying with applicable program regulations and requirements. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-050 Enhance policies, procedures, and controls over subrecipient monitoring to ensure compliance with 2 CFR sections 200.332(d) through (f).
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
CONTROLS OVER ALLOWABILITY OF EXPENDITURES TO THE CORONAVIRUS RELIEF FUND Monitoring of certain project expenditures was not sufficient to ensure that awarded CRF funding complied with the State?s project approval. Background: The State created the Pandemic Recovery Office (PRO) to oversee the distribution of Coronavirus Relief Funds and provide guidance to State agencies and departments regarding allowable uses of the CRF funding. The PRO implemented a centralized review and pre-approval process for projects and activities funded by the CRF and other CARES Act funding. This process had three primary phases: (1) review of the initial project design; (2) determination of compliance as an allowable activity as per the federal guidance issued; and (3) governance. Personnel within the Department of Administration?s Grants Management Office, PRO, Office of Internal Audit and the Office of Management and Budget were utilized for the various phases. Most CRF funding to external entities and providers included subsequent reporting procedures or other monitoring to ensure that funds were ultimately spent for the approved purposes. Criteria: Management is responsible for designing and maintaining internal controls over compliance with federal requirements for allowable costs. Controls should be sufficient to ensure that all uses of federal funding meet the applicable allowability criteria. Condition: Our review and inquiry of certain fiscal 2022 CRF expenditures found that subsequent monitoring procedures by the State were not performed to ensure that awarded CRF funding complied with the State?s project approval. Specifically, for certain CRF awards, the State did not provide any post award reporting by the recipient entity or subsequent monitoring to ensure that the approved funding was expended in accordance with the project authorization. Cause: Lack of sufficient post award reporting requirements or monitoring procedures to document allowability of CRF expenditures in accordance with project authorization. Effect: CRF funding could have been expended for unallowable costs. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-051 Ensure that future pandemic recovery project authorizations have subsequent reporting or other monitoring requirements to fully support the post award allowability of the funding awarded.
CONTROLS OVER PANDEMIC-RELATED EXPENDITURES ALLOCABLE TO MULTIPLE FEDERAL AWARDS The State had insufficient controls to ensure expenditures were not reimbursed from more than one award under federal programs with similar pandemic response related objectives. Background: The State received an unprecedented amount of federal assistance to respond to the effects of the global pandemic including $1.25 billion for the Coronavirus Relief Fund (CRF) pursuant to the CARES Act. Assistance was also received under the FEMA Stafford Act Disaster Grants program and the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program. Certain costs were reimbursable under any of these programs and federal guidance was continually evolving which resulted in changing direction as to which costs were to be applied to a specific federal award. As guidelines and circumstances changed expenditures were often applied to one funding source and then subsequently adjusted to another funding source. Adjustments of program expenditures between federal programs often overlapped fiscal years due to the length of the pandemic. Criteria: Expenditures may only be reimbursed from one federal award. Condition: Due to changing federal guidelines and the evolving State response to the pandemic, costs were often charged to one funding source and then later moved to another funding source. When expenditures are reclassified or reallocated within the RIFANS accounting system, journal entries are used to move the aggregate dollar activity; however, the original transaction (expenditure/disbursement) remains in the account originally charged offset by a credit. This process complicates the identification of the underlying expenditures reimbursed by the federal award and increases the risk that expenditures could be reimbursed from more than one federal award. During fiscal 2022, we noted the following adjustments to financial activity supporting the cited control deficiency: ? Approximately $6.0 million in expenditures were adjusted from ELC to FEMA, and $2.9 million in expenditures adjusted from FEMA to ELC, including $2.3 million that is identified as ineligible for reimbursement to FEMA?s Disaster Grants program. ? Approximately $7.0 million was adjusted from CRF to FEMA?s Disaster Grants program and another $1.9 million from FEMA?s Disaster Grants program to CRF. Of those, $423,902 were identified as ineligible for reimbursement to FEMA?s Disaster Grants program, including some from the prior fiscal year. Controls were insufficient to ensure that costs were not reimbursed from more than one federal award. The State?s process for recording accounting adjustments via aggregate dollar journal entries limits the effectiveness of controls to prevent duplicate reimbursement from federal funding sources. Reconciliations to adequately identify any potential duplicate reimbursements were incomplete during fiscal 2022 but continued after the close of the fiscal year. Numerous journal entries were subsequently processed in fiscal 2022 to adjust COVID-related activity, for expenditures claimed in fiscal 2021 and fiscal 2020, between federal funding sources (principally CRF, FEMA, and ELC). While we acknowledge that the State has performed significant reconciliation procedures to identify instances where expenditures were charged to multiple federal programs, the manually intensive nature of those procedures does not fully mitigate the risk of the control deficiency. Cause: Due to the rapid response required during the pandemic, the existence of multiple federal funding sources, and continually evolving federal guidance, costs were moved and adjusted in the accounting system to various funding sources, which increased the risk that a cost could be reimbursed from more than one federal award. Effect: Potential duplicate reimbursement of expenditures from more than one federal award. Potential of charging costs for unallowable activities to federal programs as the expenditure detail is not maintained when expenditures are adjusted in the accounting system. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-052 Ensure reconciliations and any required adjustments are complete to demonstrate that eligible COVID program costs were not reimbursed from more than one federal funding source.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
LACK OF ADEQUATE DOCUMENTATION TO SUPPORT THE PROPORTION OF COSTS ALLOCATED TO THE PROGRAM Costs associated with financial and reporting support services were not adequately documented to support the allocation to the program. Criteria: Allowable cost principles prescribed by the Uniform Guidance requires costs charged to federal awards to be adequately documented. Documentation associated with federal grants should be sufficient to support the allocation of costs to the program. If costs are allocated to two or more activities, they must be allocated to those activities based on the proportional benefit, or allocated on a reasonable basis if the underlying benefit is to multiple programs. Condition: Costs allocated to the program for consultant fees were not sufficiently documented to support the amount apportioned to the State Fiscal Recovery Fund (SFRF) program. The Pandemic Recovery Office employed the use of a consultant to provide additional financial and reporting support services in the administration of federal programs receiving COVID-related funding in fiscal 2022. These services were administered under a contract between the State and vendor that outlined general responsibilities related to various federal programs, including the SFRF, for a flat monthly fee. Vendor invoices billing the State monthly in accordance with the contract fee were subsequently allocated to various accounts, including the SFRF. However, neither the contract and its addendums nor the vendor invoices were sufficiently detailed to support the proportionate allocation to the program. Cause: The contract with the consultant did not include a requirement to document support services provided (and invoiced) to the State at the federal program level to properly support the direct allocation to the underlying federal programs. Effect: Expenditures allocated to the program for the financial and reporting services were not fully supported in accordance with federal allowable cost principles under the Uniform Guidance. Questioned Costs: Undetermined Valid Statistical Sampling: Yes RECOMMENDATION 2022-053 Enhance procedures for documenting administrative costs (specifically contractor support services) allocated to federal programs to ensure compliance with Uniform Guidance.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
LEVEL OF EFFORT ? SUPPLEMENT NOT SUPPLANT RIDE did not ensure the Local Education Agencies (LEAs) have the required written methodology to allocate state and local funds to each Title I school and to ensure that the school receives all of the state and local funds it would otherwise receive if it were not receiving Part A funds. Criteria: The State Education Agency (SEA) must review the LEA compliance with the Title I Part A supplement not supplant provision (e.g., through subrecipient monitoring). Part A supplement not supplant provision states the ?LEA must demonstrate that it has a methodology (e.g., through written procedures) and uses it to allocate state and local funds to each Title I school and ensures that the school receives all of the state and local funds it would otherwise receive if it were not receiving Part A funds (i.e., the LEA?s methodology may not take into account a school?s Title I status) (Section 1118(b)(2) (20 USC 6321(b)(2))). An LEA may use a combination of methodologies to allocate state and local funds to schools (e.g., use a different methodology for high schools than it uses for elementary schools). An LEA also may design its methodology to take into consideration grade span or school type, student enrollment size, or schools in need of additional funds to serve high concentrations of children with disabilities, English learners, or other such groups of students the LEA determines require additional support. RIDE can review the LEA compliance with the part A supplement not supplant provision through sub-recipient monitoring.? 2 CFR 200.332 states ?Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.? Condition: RIDE?s risk assessment identified that 22 of the 36 applicable LEAs did not have a written methodology to allocate state and local funds to each Title I school and to ensure that the school receives all of the state and local funds it would otherwise receive if it were not receiving Part A funds. The Department did not perform any follow-up to ensure the LEAs took timely and appropriate action to correct the identified deficiency. Cause: RIDE informed us that on-site subrecipient monitoring did not occur due to COVID-19 and lack of available resources. The majority of subrecipient monitoring took place virtually. Although RIDE monitored the subrecipients, they did not obtain corrective action from the LEAs regarding the lack of supplement not supplant policies and procedures. Effect: Noncompliance with federal rules and regulations. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-054 Enhance internal controls over LEA supplement not supplant requirements by obtaining corrective actions from LEA subrecipients that are not complying with federal requirements for formalized methodologies.
SPECIAL TESTS AND PROVISIONS ? OVERSIGHT AND MONITORING RESPONSIBILITIES WITH RESPECT TO CHARTER SCHOOLS WITH RELATIONSHIPS WITH CHARTER MANAGEMENT ORGANIZATIONS RIDE does not have any specific procedures to assess the risk posed by conflicts of interest, related party transactions or insufficient segregation of duties between the Charter School and Charter Management Organization (CMO). Criteria: As grantees, SEAs/LEAs are responsible for overseeing and monitoring subrecipients, including charter schools with relationships with Charter Management Organizations (CMOs). The SEA/LEA must: (1) evaluate each subrecipient?s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining appropriate subrecipient monitoring (2 CFR section 200.332(b)); and (2) monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved (2 CFR section 200.332(d)). Charter schools with relationships with CMOs that receive federal grant funds must comply with statutes authorizing the applicable grant program, regulations, the terms and conditions of their grant awards, and relevant department-issued guidance. Additionally, under Title 2 of the Code of Federal Regulations Part 200 ? Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Grant Guidance), nonfederal entities that receive federal grants: (1) must establish and maintain effective internal controls over those funds and (2) should have internal controls that comply with the US Government Accountability Office (GAO) ?Standards for Internal Control in the Federal Government? (Green Book), issued in November 1999 and updated in September 2014, or the ?Internal Control ? Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992 and updated in May 2013. The Green Book and the COSO Internal Control ? Integrated Framework (COSO framework) provide specific requirements for assessing and reporting on controls in the federal government. Additional requirements applicable to nonfederal entities receiving federal funds include: (1) the Code of Federal Regulations (CFR) requirements regarding conflicts of interest, (2) guidance regarding related-party transactions in generally accepted accounting principles, and (3) the GAO Green Book and COSO framework guidance regarding segregation of duties applicable to charter schools with relationships with CMOs. Condition: RIDE?s policies, procedures, and internal control for reviewing charter schools with relationships with Charter Management Organizations (CMOs) is the same for all Local Education Agencies (LEA). Those policies and procedures do not include any specific procedures to assess the risk posed by conflicts of interest, related party transactions or insufficient segregation of duties between the Charter School and CMO. Cause: RIDE currently has one Charter School with a relationship with a CMO and they did not modify their policies, procedures, and internal controls to address the Federal requirements related to the relationship. Effect: RIDE is not in compliance with federal regulations. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-055 Enhance the policies, procedures, and internal controls over monitoring LEAs, Charter Schools, and Charter Schools with relationships to CMOs to include assessing the risk posed by conflicts of interest, related-party transactions or insufficient segregation of duties between the Charter School and CMO.
ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance for the Title 1 program. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System ? an application provided by a third-party vendor. Using this information, RIDE allocates Title I Grants to Local Education Agencies funds to the LEAs. Additionally, the LEAs submit their requests for distributions of such federal funds through Accelegrants. The State allocation of Title I funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Information Technology for agencies to comply with. Condition: Our evaluation of RIDE?s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to address critical system security requirements that, most importantly, addresses the following: ? Access Management: o There was no formal, documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. We noted that access was still available for a high number of inactive users, many with inactive periods in excess of one year. o There was no formal documented periodic review of either User Access or Privileges to validate whether the granted access was still appropriate. ? IT Risk Assessment ? there was no documented agency IT Risk Assessment process for the application and the vendor security practices. ? SOC 2 User Complementary Controls ? There was no documented evidence of agency assessment or addressing of User Complementary Controls that were specified in the vendor provided SOC 2 report. ? Vendor Management ? there is no agency evidence of IT Vendor Management oversight to ensure vendor conformance to industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Cause: Lack of dedicated resources and documentation. Effect: Potential for IT security vulnerabilities from going unresolved and impacting application and data reliability. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-056a Enhance controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document timely reviews of access privileges to determine if access is appropriate. 2022-056b Perform and document an IT Risk Assessment on a periodic basis. 2022-056c Review vendor identified user complementary controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2022-056d Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices.
RHODE ISLAND COLLEGE ? HIGHER EDUCATION EMERGENCY RELIEF FUND (HEERF) REPORTING Criteria: The CARES Act 18004(e) and the CRRSAA 314(e) requires an institution receiving funds under HEERF I and HEERF II to submit a report to the secretary, at such time in a such a manner as the secretary may require. 1.) Quarterly public reporting for institutional requires a new, separate form to be posted covering aggregate amounts spent for HEERF I, HEERF II, and HEERF III funds each quarterly reporting period due no later than 10 days after the end of each calendar quarter. 2.) The 45-day and quarterly public reporting for the student aid portion requires certain information to be posted on the website no later than 10 days after the end of each period or calendar quarter. 3.) Annual calendar year reporting covering aggregate amounts spent for HEERF I, HEERF II, and HEERF III funds to be submitted to the Department of Education. Condition: During our testing, we noted the College did not post 2 of the 4 quarterly postings within the 10-day timeframe. The College could also not provide or produce underlying support for line items 3 and 5 of the quarterly report. Also, during our testing of the annual report for the student aid and institutional aid portion, the College was unable to provide and produce support for certain line items in the report. Context: During our testing, we noted the College did not post 2 of the 4 quarterly postings within the 10 day timeframe. For 1 of the 2 reports tested, we were not provided documentation for items 3 and 5 of the student public quarterly report. During our testing of the annual report for the calendar year 2021, the College could not provide support for line items 8(a) HEERF: (a)(1) Student Aid Portion Amount Disbursed: Amount of Emergency Financial Aid Grants applied to satisfy student?s outstanding account balance upon receiving affirmative written consent from students to do so; and 8(a) HEERF: (a)(1) Institutional Portion Amount Disbursed: Amount of Emergency Financial Aid Grants applied to satisfy student?s outstanding account balance. Cause: The College did not have a process in place to ensure reports were timely uploaded to the College?s website and a process to keep documentation on file to support the reports. Effect: Failure to support the amounts within the reports and to file the quarterly reports timely may result in loss of funding. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-057 We recommend that the College review their procedures to ensure that reports are submitted timely, and that documentation is kept for all reports.
UNIVERSITY OF RHODE ISLAND ? REPORTING Criteria: Institutions receiving funds under the Higher Education Emergency Relief Fund (HEERF) are required to submit a report to the secretary, at such time in such a manner as the secretary may require. Quarterly public reporting is required to report items noted in the Federal Register, Volume 85, No. 169 and Volume 86, No. 91 ? Department of Education, Notice of Public Posting Requirements of Grant Information for HEERF. A required element is that the estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under CARES (a)(1) subprogram and the CRRSAA and ARP (a)(1) subprograms. The University is required to establish and maintain effective internal control over the Federal award that provides reasonable assurance that the University is managing the Federal award in compliance with Federal statutes. (2 CFR subsection 200.303). Condition: The University did not include information regarding the number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students. Context: Two of the four required quarterly reports were tested, both reports omitted information regarding the number of students at the University that were eligible to receive Emergency Financial Aid Grants. Cause: The University?s system of internal control did not contain elements to ensure all information required to be reported was included in the quarterly sales reports. Effect: The University?s quarterly reports did not contain one of the required elements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-058 We recommend that the University review its internal control procedures and policies that ensure all federal grant reporting requirements are met and make changes as needed.
RHODE ISLAND COLLEGE ? HIGHER EDUCATION EMERGENCY RELIEF FUND (HEERF) REPORTING Criteria: The CARES Act 18004(e) and the CRRSAA 314(e) requires an institution receiving funds under HEERF I and HEERF II to submit a report to the secretary, at such time in a such a manner as the secretary may require. 1.) Quarterly public reporting for institutional requires a new, separate form to be posted covering aggregate amounts spent for HEERF I, HEERF II, and HEERF III funds each quarterly reporting period due no later than 10 days after the end of each calendar quarter. 2.) The 45-day and quarterly public reporting for the student aid portion requires certain information to be posted on the website no later than 10 days after the end of each period or calendar quarter. 3.) Annual calendar year reporting covering aggregate amounts spent for HEERF I, HEERF II, and HEERF III funds to be submitted to the Department of Education. Condition: During our testing, we noted the College did not post 2 of the 4 quarterly postings within the 10-day timeframe. The College could also not provide or produce underlying support for line items 3 and 5 of the quarterly report. Also, during our testing of the annual report for the student aid and institutional aid portion, the College was unable to provide and produce support for certain line items in the report. Context: During our testing, we noted the College did not post 2 of the 4 quarterly postings within the 10 day timeframe. For 1 of the 2 reports tested, we were not provided documentation for items 3 and 5 of the student public quarterly report. During our testing of the annual report for the calendar year 2021, the College could not provide support for line items 8(a) HEERF: (a)(1) Student Aid Portion Amount Disbursed: Amount of Emergency Financial Aid Grants applied to satisfy student?s outstanding account balance upon receiving affirmative written consent from students to do so; and 8(a) HEERF: (a)(1) Institutional Portion Amount Disbursed: Amount of Emergency Financial Aid Grants applied to satisfy student?s outstanding account balance. Cause: The College did not have a process in place to ensure reports were timely uploaded to the College?s website and a process to keep documentation on file to support the reports. Effect: Failure to support the amounts within the reports and to file the quarterly reports timely may result in loss of funding. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-057 We recommend that the College review their procedures to ensure that reports are submitted timely, and that documentation is kept for all reports.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
TIME AND EFFORT REPORTING RIDOH?s time and effort reporting for general COVID-related activities did not provide adequate detail to fully support personnel costs charged to federal programs. Background: RIDOH has built robust, but complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State?s payroll system and accounting system is performed on a quarterly basis and amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time spent on the various activities. Due to the challenges at the start of the pandemic and uncertainty regarding how costs would be funded, RIDOH adopted a general timesheet category for COVID-19 related personnel activities. Time and effort charged to this category ultimately gets allocated to federal programs in conjunction with RIDOH?s quarterly allocation of personnel costs. Criteria: 45 CFR 75.430(i)(1) requires that ?Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.? Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: ? Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Immunization program, while RIDOH was able to provide timesheets for all selected pay periods, 7 of the 74 selected weekly timesheets lacked either an employee or supervisor signature. For the ELC program, 3 of the 74 selected weekly timesheets lacked supervisor signatures, and there was no provided support, including a timesheet, for one selected payroll transaction. ? Time and effort identified to the general COVID-19 category lacked sufficient detail (i.e., underlying activity performed in support of COVID-19 response) to support its specific federal program allocation. While we found that the allowability for personnel costs charged to the underlying programs was reasonable based on the employee?s position and responsibilities, improved timesheet documentation detailing the specific activities worked by the employee (in relation to COVID-19 response) would significantly improve supporting documentation of allowable costs for these programs. Cause: The challenges in responding to the COVID 19 pandemic dramatically complicated RIDOH?s allocation of personnel expenditures amongst federal programs. The State?s lack of sufficient timesheet detail for designated COVID-19 time and effort activities (in conjunction with a lack of an integrated time and effort reporting system to easily allocate personnel costs over multiple funding sources) prevented direct verification of recorded timesheet activities to the underlying charge on federal programs. Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-059 Enhance weekly reporting of time and effort for COVID-19 activities to improve documentation and support for personnel costs charged to federal programs.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
TIME AND EFFORT REPORTING RIDOH?s time and effort reporting for general COVID-related activities did not provide adequate detail to fully support personnel costs charged to federal programs. Background: RIDOH has built robust, but complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State?s payroll system and accounting system is performed on a quarterly basis and amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time spent on the various activities. Due to the challenges at the start of the pandemic and uncertainty regarding how costs would be funded, RIDOH adopted a general timesheet category for COVID-19 related personnel activities. Time and effort charged to this category ultimately gets allocated to federal programs in conjunction with RIDOH?s quarterly allocation of personnel costs. Criteria: 45 CFR 75.430(i)(1) requires that ?Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.? Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: ? Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Immunization program, while RIDOH was able to provide timesheets for all selected pay periods, 7 of the 74 selected weekly timesheets lacked either an employee or supervisor signature. For the ELC program, 3 of the 74 selected weekly timesheets lacked supervisor signatures, and there was no provided support, including a timesheet, for one selected payroll transaction. ? Time and effort identified to the general COVID-19 category lacked sufficient detail (i.e., underlying activity performed in support of COVID-19 response) to support its specific federal program allocation. While we found that the allowability for personnel costs charged to the underlying programs was reasonable based on the employee?s position and responsibilities, improved timesheet documentation detailing the specific activities worked by the employee (in relation to COVID-19 response) would significantly improve supporting documentation of allowable costs for these programs. Cause: The challenges in responding to the COVID 19 pandemic dramatically complicated RIDOH?s allocation of personnel expenditures amongst federal programs. The State?s lack of sufficient timesheet detail for designated COVID-19 time and effort activities (in conjunction with a lack of an integrated time and effort reporting system to easily allocate personnel costs over multiple funding sources) prevented direct verification of recorded timesheet activities to the underlying charge on federal programs. Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-059 Enhance weekly reporting of time and effort for COVID-19 activities to improve documentation and support for personnel costs charged to federal programs.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
TIME AND EFFORT REPORTING RIDOH?s time and effort reporting for general COVID-related activities did not provide adequate detail to fully support personnel costs charged to federal programs. Background: RIDOH has built robust, but complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State?s payroll system and accounting system is performed on a quarterly basis and amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time spent on the various activities. Due to the challenges at the start of the pandemic and uncertainty regarding how costs would be funded, RIDOH adopted a general timesheet category for COVID-19 related personnel activities. Time and effort charged to this category ultimately gets allocated to federal programs in conjunction with RIDOH?s quarterly allocation of personnel costs. Criteria: 45 CFR 75.430(i)(1) requires that ?Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.? Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: ? Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Immunization program, while RIDOH was able to provide timesheets for all selected pay periods, 7 of the 74 selected weekly timesheets lacked either an employee or supervisor signature. For the ELC program, 3 of the 74 selected weekly timesheets lacked supervisor signatures, and there was no provided support, including a timesheet, for one selected payroll transaction. ? Time and effort identified to the general COVID-19 category lacked sufficient detail (i.e., underlying activity performed in support of COVID-19 response) to support its specific federal program allocation. While we found that the allowability for personnel costs charged to the underlying programs was reasonable based on the employee?s position and responsibilities, improved timesheet documentation detailing the specific activities worked by the employee (in relation to COVID-19 response) would significantly improve supporting documentation of allowable costs for these programs. Cause: The challenges in responding to the COVID 19 pandemic dramatically complicated RIDOH?s allocation of personnel expenditures amongst federal programs. The State?s lack of sufficient timesheet detail for designated COVID-19 time and effort activities (in conjunction with a lack of an integrated time and effort reporting system to easily allocate personnel costs over multiple funding sources) prevented direct verification of recorded timesheet activities to the underlying charge on federal programs. Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-059 Enhance weekly reporting of time and effort for COVID-19 activities to improve documentation and support for personnel costs charged to federal programs.
INSUFFICIENT DOCUMENTATION OF SUBAWARD AGREEMENTS TO SUPPORT ALLOCATION OF SUBRECIPIENT PAYMENTS TO THE ELC PROGRAM RIDOH lacked sufficient documentation of subawards (subrecipient agreements) to support the allocation of subrecipient payments to the ELC program. Criteria: 45 CFR 75.352 (a) ?Requirements for pass-through entities?, requires all pass-through entities to ?ensure that every subaward is clearly identified to the subrecipient as a subaward? and to include certain prescribed information, including the CFDA [Assistance Listing] number and name. The pass-through entity must ?identify the dollar amount made available under each Federal award and the CFDA number at the time of disbursement?. Condition: We tested a sample of 59 payments to subrecipients and the underlying subaward contracts for the required federal award information. Of the related 45 subaward contracts reviewed, we noted three instances where the original contracts expired prior to the beginning of the fiscal year and the related extensions did not identify the ELC program as an applicable federal funding source. RIDOH leveraged preexisting contracts to local entities identified as ?health equity zones? (HEZs). The health equity zone contracts include numerous contract amendments extending those agreements. The extensions reviewed in fiscal 2021 appropriately indicated ELC as a federal funding source of the subaward. In fiscal 2022, subaward agreements were again extended, however, in the case of three subaward agreements reviewed, the ELC program was not indicated as an applicable federal funding source. Proper identification of the relevant federal program information, including the relevant Assistance Listing number, is critical to ensuring that subrecipients are aware of the program restrictions to which they are required to adhere. Cause: Insufficient documentation to support the allowability of certain subawards charged to the ELC program. Effect: Potential noncompliance due to a lack of documentation to support allowability in accordance with federal regulations. Absence of the relevant identifying federal program information in subaward agreements increases the risk of noncompliance with federal regulations by the subrecipient. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-060 Ensure all subrecipient contracts and subsequent amendments contain the relevant identifying federal program information as required by Uniform Guidance.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
CONTROLS OVER PANDEMIC-RELATED EXPENDITURES ALLOCABLE TO MULTIPLE FEDERAL AWARDS The State had insufficient controls to ensure expenditures were not reimbursed from more than one award under federal programs with similar pandemic response related objectives. Background: The State received an unprecedented amount of federal assistance to respond to the effects of the global pandemic including $1.25 billion for the Coronavirus Relief Fund (CRF) pursuant to the CARES Act. Assistance was also received under the FEMA Stafford Act Disaster Grants program and the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program. Certain costs were reimbursable under any of these programs and federal guidance was continually evolving which resulted in changing direction as to which costs were to be applied to a specific federal award. As guidelines and circumstances changed expenditures were often applied to one funding source and then subsequently adjusted to another funding source. Adjustments of program expenditures between federal programs often overlapped fiscal years due to the length of the pandemic. Criteria: Expenditures may only be reimbursed from one federal award. Condition: Due to changing federal guidelines and the evolving State response to the pandemic, costs were often charged to one funding source and then later moved to another funding source. When expenditures are reclassified or reallocated within the RIFANS accounting system, journal entries are used to move the aggregate dollar activity; however, the original transaction (expenditure/disbursement) remains in the account originally charged offset by a credit. This process complicates the identification of the underlying expenditures reimbursed by the federal award and increases the risk that expenditures could be reimbursed from more than one federal award. During fiscal 2022, we noted the following adjustments to financial activity supporting the cited control deficiency: ? Approximately $6.0 million in expenditures were adjusted from ELC to FEMA, and $2.9 million in expenditures adjusted from FEMA to ELC, including $2.3 million that is identified as ineligible for reimbursement to FEMA?s Disaster Grants program. ? Approximately $7.0 million was adjusted from CRF to FEMA?s Disaster Grants program and another $1.9 million from FEMA?s Disaster Grants program to CRF. Of those, $423,902 were identified as ineligible for reimbursement to FEMA?s Disaster Grants program, including some from the prior fiscal year. Controls were insufficient to ensure that costs were not reimbursed from more than one federal award. The State?s process for recording accounting adjustments via aggregate dollar journal entries limits the effectiveness of controls to prevent duplicate reimbursement from federal funding sources. Reconciliations to adequately identify any potential duplicate reimbursements were incomplete during fiscal 2022 but continued after the close of the fiscal year. Numerous journal entries were subsequently processed in fiscal 2022 to adjust COVID-related activity, for expenditures claimed in fiscal 2021 and fiscal 2020, between federal funding sources (principally CRF, FEMA, and ELC). While we acknowledge that the State has performed significant reconciliation procedures to identify instances where expenditures were charged to multiple federal programs, the manually intensive nature of those procedures does not fully mitigate the risk of the control deficiency. Cause: Due to the rapid response required during the pandemic, the existence of multiple federal funding sources, and continually evolving federal guidance, costs were moved and adjusted in the accounting system to various funding sources, which increased the risk that a cost could be reimbursed from more than one federal award. Effect: Potential duplicate reimbursement of expenditures from more than one federal award. Potential of charging costs for unallowable activities to federal programs as the expenditure detail is not maintained when expenditures are adjusted in the accounting system. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-052 Ensure reconciliations and any required adjustments are complete to demonstrate that eligible COVID program costs were not reimbursed from more than one federal funding source.
TIME AND EFFORT REPORTING RIDOH?s time and effort reporting for general COVID-related activities did not provide adequate detail to fully support personnel costs charged to federal programs. Background: RIDOH has built robust, but complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State?s payroll system and accounting system is performed on a quarterly basis and amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time spent on the various activities. Due to the challenges at the start of the pandemic and uncertainty regarding how costs would be funded, RIDOH adopted a general timesheet category for COVID-19 related personnel activities. Time and effort charged to this category ultimately gets allocated to federal programs in conjunction with RIDOH?s quarterly allocation of personnel costs. Criteria: 45 CFR 75.430(i)(1) requires that ?Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.? Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: ? Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Immunization program, while RIDOH was able to provide timesheets for all selected pay periods, 7 of the 74 selected weekly timesheets lacked either an employee or supervisor signature. For the ELC program, 3 of the 74 selected weekly timesheets lacked supervisor signatures, and there was no provided support, including a timesheet, for one selected payroll transaction. ? Time and effort identified to the general COVID-19 category lacked sufficient detail (i.e., underlying activity performed in support of COVID-19 response) to support its specific federal program allocation. While we found that the allowability for personnel costs charged to the underlying programs was reasonable based on the employee?s position and responsibilities, improved timesheet documentation detailing the specific activities worked by the employee (in relation to COVID-19 response) would significantly improve supporting documentation of allowable costs for these programs. Cause: The challenges in responding to the COVID 19 pandemic dramatically complicated RIDOH?s allocation of personnel expenditures amongst federal programs. The State?s lack of sufficient timesheet detail for designated COVID-19 time and effort activities (in conjunction with a lack of an integrated time and effort reporting system to easily allocate personnel costs over multiple funding sources) prevented direct verification of recorded timesheet activities to the underlying charge on federal programs. Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-059 Enhance weekly reporting of time and effort for COVID-19 activities to improve documentation and support for personnel costs charged to federal programs.
INSUFFICIENT DOCUMENTATION OF SUBAWARD AGREEMENTS TO SUPPORT ALLOCATION OF SUBRECIPIENT PAYMENTS TO THE ELC PROGRAM RIDOH lacked sufficient documentation of subawards (subrecipient agreements) to support the allocation of subrecipient payments to the ELC program. Criteria: 45 CFR 75.352 (a) ?Requirements for pass-through entities?, requires all pass-through entities to ?ensure that every subaward is clearly identified to the subrecipient as a subaward? and to include certain prescribed information, including the CFDA [Assistance Listing] number and name. The pass-through entity must ?identify the dollar amount made available under each Federal award and the CFDA number at the time of disbursement?. Condition: We tested a sample of 59 payments to subrecipients and the underlying subaward contracts for the required federal award information. Of the related 45 subaward contracts reviewed, we noted three instances where the original contracts expired prior to the beginning of the fiscal year and the related extensions did not identify the ELC program as an applicable federal funding source. RIDOH leveraged preexisting contracts to local entities identified as ?health equity zones? (HEZs). The health equity zone contracts include numerous contract amendments extending those agreements. The extensions reviewed in fiscal 2021 appropriately indicated ELC as a federal funding source of the subaward. In fiscal 2022, subaward agreements were again extended, however, in the case of three subaward agreements reviewed, the ELC program was not indicated as an applicable federal funding source. Proper identification of the relevant federal program information, including the relevant Assistance Listing number, is critical to ensuring that subrecipients are aware of the program restrictions to which they are required to adhere. Cause: Insufficient documentation to support the allowability of certain subawards charged to the ELC program. Effect: Potential noncompliance due to a lack of documentation to support allowability in accordance with federal regulations. Absence of the relevant identifying federal program information in subaward agreements increases the risk of noncompliance with federal regulations by the subrecipient. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-060 Ensure all subrecipient contracts and subsequent amendments contain the relevant identifying federal program information as required by Uniform Guidance.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
TANF ELIGIBILITY ? RIBRIDGES The State can improve compliance with TANF eligibility requirements specifically by ensuring consistent documentation of eligibility components within RIBridges. Background: RIBridges is the State?s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges system operation has been problematic since implementation and efforts to address eligibility processing challenges are ongoing. Enhanced federal funding for new eligibility systems was approved to provide more efficient, economical, and effective administration of these human service programs. Criteria: Federal regulation 45 CFR 260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires (the state agency) ?to maintain records to support eligibility, including facts to support the client?s need for assistance. The State?s policies and procedures require that documentation used to verify eligibility be maintained in the case file.? Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. When evaluating exceptions relating to case documentation deficiencies, questioned costs and consideration of material noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. [See Schedule of Findings and Questioned Costs for table.] While applicant-attested information in most cases supported applicant eligibility for TANF, the lack of required critical supporting documentation in 4.4% of the case files tested, in addition to the high number of other documentation deficiencies noted, was deemed to be a material weakness in internal control over TANF eligibility. Cause: Most case errors noted resulted from worker noncompliance with documentation requirements for elements of eligibility determination. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Effect: Ineffective controls over the eligibility process for TANF increase the potential for payment of benefits to ineligible families and/or payment of incorrect benefit amounts. Questioned Costs: $10,005 Valid Statistical Sampling: Yes RECOMMENDATION 2022-061 Improve policies and procedures to ensure that all required eligibility compliance requirements are documented within RIBridges.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
TANF ELIGIBILITY ? RIBRIDGES The State can improve compliance with TANF eligibility requirements specifically by ensuring consistent documentation of eligibility components within RIBridges. Background: RIBridges is the State?s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges system operation has been problematic since implementation and efforts to address eligibility processing challenges are ongoing. Enhanced federal funding for new eligibility systems was approved to provide more efficient, economical, and effective administration of these human service programs. Criteria: Federal regulation 45 CFR 260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires (the state agency) ?to maintain records to support eligibility, including facts to support the client?s need for assistance. The State?s policies and procedures require that documentation used to verify eligibility be maintained in the case file.? Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. When evaluating exceptions relating to case documentation deficiencies, questioned costs and consideration of material noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. [See Schedule of Findings and Questioned Costs for table.] While applicant-attested information in most cases supported applicant eligibility for TANF, the lack of required critical supporting documentation in 4.4% of the case files tested, in addition to the high number of other documentation deficiencies noted, was deemed to be a material weakness in internal control over TANF eligibility. Cause: Most case errors noted resulted from worker noncompliance with documentation requirements for elements of eligibility determination. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Effect: Ineffective controls over the eligibility process for TANF increase the potential for payment of benefits to ineligible families and/or payment of incorrect benefit amounts. Questioned Costs: $10,005 Valid Statistical Sampling: Yes RECOMMENDATION 2022-061 Improve policies and procedures to ensure that all required eligibility compliance requirements are documented within RIBridges.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
CONTROLS OVER ELIGIBILITY, INCOME VALIDATION, AND DETERMINATION OF PARENT COST-SHARING AMOUNTS RIBridges controls over eligibility determinations, income validation, and calculation of required parent cost-sharing amounts require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility specifically need improvement to support compliance with federal regulations. Background: RIBridges is the State?s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges system operation has been problematic since implementation and efforts to address eligibility processing challenges are ongoing. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR section 98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR section 98.45(k)(4)). Condition: RIBridges lacked effective income validation controls to determine program eligibility and potential family co-share amounts. Documentation supporting child care program eligibility was not found in 8 out of the 40 sample cases we reviewed, resulting in a 20% error rate. We considered a 20% error rate to represent material noncompliance with federal regulations over childcare eligibility requirements. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Cause: Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined. Effect: Noncompliance with childcare eligibility requirements. Parental income/co-shares were incorrectly determined in some cases. Failure to end benefits timely when applicant employment ended. Questioned Costs: $38,985 Valid Statistical Sampling: Yes RECOMMENDATION 2022-062 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record and appropriate consideration of parent earnings information for determination of parent co-shares.
CCDF ? ALLOWABLE COSTS ? OTHER MATTERS Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA). Criteria: Uniform Guidance section 200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. Condition: During our audit inquiries during the fiscal 2022 audit of the CCDF Cluster, the State?s Office of Internal Audit (OIA) disclosed potential fraud relating to the Child Care Program that they discovered in relation to claiming that predated fiscal 2021 (prior to relaxation of program requirements during the public health emergency). OIA identified claiming for unreported absences, excess absences, and failure to report change in enrollment status. The OIA?s findings were communicated to law enforcement and charges were filed against the related Child Care provider. Potential claiming in relation to the OIA?s findings approximated $820,000 in Child Care payments. Cause: Potential fraud committed by a Child Care provider not detected by program controls. Effect: Child Care payments were made to a provider for ineligible services billed. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-063 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
CONTROLS OVER ELIGIBILITY, INCOME VALIDATION, AND DETERMINATION OF PARENT COST-SHARING AMOUNTS RIBridges controls over eligibility determinations, income validation, and calculation of required parent cost-sharing amounts require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility specifically need improvement to support compliance with federal regulations. Background: RIBridges is the State?s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges system operation has been problematic since implementation and efforts to address eligibility processing challenges are ongoing. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR section 98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR section 98.45(k)(4)). Condition: RIBridges lacked effective income validation controls to determine program eligibility and potential family co-share amounts. Documentation supporting child care program eligibility was not found in 8 out of the 40 sample cases we reviewed, resulting in a 20% error rate. We considered a 20% error rate to represent material noncompliance with federal regulations over childcare eligibility requirements. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Cause: Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined. Effect: Noncompliance with childcare eligibility requirements. Parental income/co-shares were incorrectly determined in some cases. Failure to end benefits timely when applicant employment ended. Questioned Costs: $38,985 Valid Statistical Sampling: Yes RECOMMENDATION 2022-062 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record and appropriate consideration of parent earnings information for determination of parent co-shares.
CCDF ? ALLOWABLE COSTS ? OTHER MATTERS Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA). Criteria: Uniform Guidance section 200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. Condition: During our audit inquiries during the fiscal 2022 audit of the CCDF Cluster, the State?s Office of Internal Audit (OIA) disclosed potential fraud relating to the Child Care Program that they discovered in relation to claiming that predated fiscal 2021 (prior to relaxation of program requirements during the public health emergency). OIA identified claiming for unreported absences, excess absences, and failure to report change in enrollment status. The OIA?s findings were communicated to law enforcement and charges were filed against the related Child Care provider. Potential claiming in relation to the OIA?s findings approximated $820,000 in Child Care payments. Cause: Potential fraud committed by a Child Care provider not detected by program controls. Effect: Child Care payments were made to a provider for ineligible services billed. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-063 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
CONTROLS OVER ELIGIBILITY, INCOME VALIDATION, AND DETERMINATION OF PARENT COST-SHARING AMOUNTS RIBridges controls over eligibility determinations, income validation, and calculation of required parent cost-sharing amounts require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility specifically need improvement to support compliance with federal regulations. Background: RIBridges is the State?s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges system operation has been problematic since implementation and efforts to address eligibility processing challenges are ongoing. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR section 98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR section 98.45(k)(4)). Condition: RIBridges lacked effective income validation controls to determine program eligibility and potential family co-share amounts. Documentation supporting child care program eligibility was not found in 8 out of the 40 sample cases we reviewed, resulting in a 20% error rate. We considered a 20% error rate to represent material noncompliance with federal regulations over childcare eligibility requirements. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Cause: Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined. Effect: Noncompliance with childcare eligibility requirements. Parental income/co-shares were incorrectly determined in some cases. Failure to end benefits timely when applicant employment ended. Questioned Costs: $38,985 Valid Statistical Sampling: Yes RECOMMENDATION 2022-062 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record and appropriate consideration of parent earnings information for determination of parent co-shares.
CCDF ? ALLOWABLE COSTS ? OTHER MATTERS Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA). Criteria: Uniform Guidance section 200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. Condition: During our audit inquiries during the fiscal 2022 audit of the CCDF Cluster, the State?s Office of Internal Audit (OIA) disclosed potential fraud relating to the Child Care Program that they discovered in relation to claiming that predated fiscal 2021 (prior to relaxation of program requirements during the public health emergency). OIA identified claiming for unreported absences, excess absences, and failure to report change in enrollment status. The OIA?s findings were communicated to law enforcement and charges were filed against the related Child Care provider. Potential claiming in relation to the OIA?s findings approximated $820,000 in Child Care payments. Cause: Potential fraud committed by a Child Care provider not detected by program controls. Effect: Child Care payments were made to a provider for ineligible services billed. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-063 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN?S HEALTH INSURANCE PROGRAM (CHIP) ? MATERIAL NONCOMPLIANCE The State did not materially comply with CHIP eligibility requirements during fiscal 2022. RIBridges is not fully evaluating all eligibility criteria to ensure compliance with federal regulations. Background: RIBridges, the State?s computer system used to manage multiple federally funded human service programs, determines eligibility for CHIP. During fiscal 2022, in response to the COVID-19 public health emergency (PHE), federal guidance and temporary changes to the State Plan continued to limit the State?s data verification procedures when evaluating eligibility of new program applicants and prohibited modifying recipient eligibility of existing recipients during the PHE. This finding focuses on the results from testing the more limited controls in place during fiscal 2022. Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty limit (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for individuals with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage would be eligible for Medical Assistance. Condition: Controls over CHIP eligibility determinations, except for the limitations described above, were largely unchanged during fiscal 2022. While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $4.9 million) through querying the MMIS for individuals meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility. For fiscal 2022, we tested a sample of 40 capitation payments (total population of 1.6 million payments totaling $107.7 million, federal share - $65.8 million) claimed to CHIP for limited eligibility requirements deemed applicable during the PHE. Operational and control deficiencies during fiscal 2022 resulted in material noncompliance with eligibility requirements for CHIP. For all exceptions, the State did not consider the existence of third-party health coverage when determining eligibility for CHIP. We found that two individuals out of the 40 tested were covered by existing health coverage at the time of the claim for a 5% error rate. The citizenship of one of the individuals considered ineligible was also not documented in accordance with federal regulations. Capitation and claims paid in relation to these individuals totaled $5,823 during fiscal 2022 (federal questioned costs - $4,237). These costs would be eligible for claiming to Medicaid. During fiscal 2022, RIBridges was not currently evaluating existing health coverage in conjunction with determining CHIP eligibility, a practice inconsistent with the CHIP State Plan. The State?s most effective data source for identifying third-party insurance (automated TPL data match with private insurers) is utilized in the MMIS but was not interfacing with RIBridges during fiscal 2022. Cause: Noncompliance with CHIP eligibility requirements is caused by CHIP specific programming deficiencies within RIBridges, most notably, the lack of functionality to consider the availability of existing health coverage at the time of application. Effect: Material noncompliance with federal requirements relating to recipient eligibility for CHIP. Questioned Costs: $4,237 Valid Statistical Sampling: Yes RECOMMENDATIONS 2022-064a Address and correct the RIBridges system deficiencies which weaken controls and result in material noncompliance with federal regulations regarding CHIP eligibility. 2022-064b Identify ineligible CHIP costs and return to the federal grantor.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2022-003. Capitation payments to MCOs represent approximately 60% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for individuals enrolled in managed care during fiscal 2022 approximated $1.9 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 303,301 Medicaid eligible individuals - approximately 91% of total Medicaid enrollees at June 30, 2022. These capitation payments related to the following managed care programs within the State?s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. These programs, however, operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Center for Medicare & Medicaid Services overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are impacted by the control deficiencies described in Finding 2022-003 relating to the State?s financial reporting and Finding 2022-065 relating to noncompliance with the federal requirements for MCO audit provisions. These deficiencies also impact controls over federal compliance with allowable cost principles in relation to managed care contract settlements. Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: Finding 2022-003, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls ? Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. Finding 2022-065, Managed Care Financial Audit ? CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State?s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2021 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2021 contract settlements. [See Schedule of Findings and Questioned Costs for table.] We also assessed controls to ensure the timely termination of eligibility for deceased individuals to prevent continued payment of managed care capitation after death. We found that the State had not ended eligibility in the MMIS for 127 individuals within 90 days of the date of death. This control deficiency resulted in managed care capitation totaling $467,740 (federal share - $391,994) paid for individuals who had been deceased for more than 90 days. Of that group, 77 individuals remained Medicaid active with capitation paid to the managed care organization for more than 180 days after death. While the State can recoup the capitation once the individual?s death is recorded and eligibility is ended, the delay in termination for deceased individuals further weakens overall controls relating to managed care contract settlements. The State should improve controls to ensure that capitation payments are not continued for Medicaid recipients after death. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: $391,994 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-067a Improve controls over compliance requirements for the allowability of federal expenditures by addressing related internal control deficiencies (including system limitations) over financial reporting and federal noncompliance that specifically impacts financial settlements with managed care organizations. 2022-067b Improve controls to ensure the timely termination of Medicaid eligibility for deceased individuals to prevent continued payment of managed care capitation after death.
FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State?s RIFANS accounting system is the official record of federal program expenditures and therefore should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures to authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2022 noted the following reporting deficiencies: ? Approximately $3.3 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. ? Reconciling administrative expenditures to the State Accounting System was not performed consistently by the State?s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. ? Amounts reported for benefit expenditures on the CMS-64 Report were in excess of amounts reported in the State Accounting System. While EOHHS believes this was caused by new reporting for reinvestments of the additional 10% federal reimbursement on home and community based services, EOHHS?s reconciliation between the CMS-64 Report and the State Accounting System did not provide documentation supporting the federal reporting difference. ? Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS-64 Report requirements. EOHHS, however, needs to consider whether other healthcare related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State Accounting System represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS-64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-068a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State?s integrated eligibility system. 2022-068b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2022-068c Conduct an analysis of healthcare related fees and taxes levied by the State to determine if other healthcare related taxes require reporting in the CMS-64 Report.
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR INDIVIDUALS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payor of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible individuals. For individuals enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. The State does not share identified TPL information with the MCOs. Criteria: 42 CFR section 433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island?s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid Program. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: Identification of TPL by managed care organizations - During fiscal 2022, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (individuals with Medicaid eligibility for the entire year) had verified TPL coverage that was similar to their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that possibly could have been cost avoided. We selected a random sample of encounter claims where the State reported verified third party liability coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Of the twenty instances where the State had verified insurance coverage for Medicaid individuals with three MCOs, those MCOs only had record of TPL in four of the instances. Validity of State Reported TPL Data - As a follow-up to the low number of TPL segments confirmed by the MCOs, we did an analysis of the State?s verified third party insurance data to evaluate its accuracy. With a concern that the State?s reported TPL verification was not completely reliable, we held discussions with EOHHS regarding the issue. EOHHS indicated that concerns had recently surfaced in regards to reported TPL in the MMIS. EOHHS had concerns that while the TPL data match was effectively identifying TPL segments, the interface with the MMIS was less effective in terminating active segments when coverage ended. Based on that concern, we performed an age analysis on current validated TPL segments at June 30, 2022 to evaluate EOHHS?s concerns. Our analysis was based on the likelihood that the older the TPL segment was, the more likely it was that the reported insurance coverage may no longer be effective. Our analysis identified that 62% of the reported 87,138 verified active TPL segments reported in the MMIS as of June 30, 2022 were older than 3 years old, and 36% were older than 5 years old. The high percentage of older TPL segments supports the concerns shared by EOHHS. Approximately 10% of reported verified TPL segments were older than 10 years. While possible, the likelihood that a verified TPL segment would not have any change required (i.e., policy number, coverage type, plan change) over those periods is questionable. Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2022 continue to support the need for immediate action by EOHHS. Immediate corrective actions are needed to first validate TPL data currently residing in the MMIS system. EOHHS should immediately require its MMIS contractor to validate TPL segments for active Medicaid recipients. Once validated, the MMIS contractor should address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. Additionally, once the validated TPL data segments are identified for current Medicaid recipients, that data should be shared with the managed care organizations to ensure that those entities have updated recipient TPL data. EOHHS should also implement enhanced monitoring procedures over MCO TPL identification and cost avoidance to ensure that the MCOs are complying with federal regulations and contractual agreements. Cause: Control deficiencies resulting in inaccurate TPL data residing in the MMIS. Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-069a Coordinate with the MMIS contractor to validate TPL segments for active Medicaid recipients and address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. 2022-069b Share and match identified TPL coverage with the MCOs upon enrollment and as an individual?s TPL status changes. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CONTROLS OVER CRITICAL SYSTEM DATA INTERFACES WITHIN THE RIBRIDGES ELIGIBILITY SYSTEM Controls need to be improved to ensure that critical external data interfaces are operating as designed within the RIBridges system. Background: The State?s integrated eligibility system, RIBridges, was designed to utilize various external data sources interfaced with the system to validate applicant data. The objective was to eliminate the need for applicants to provide documentation supporting their eligibility for Medicaid or CHIP if the information was validated by independent external data sources. RIBridges utilizes the State Wage Information Collection Agency (SWICA) data, quarterly employer wage data, provided by the RI Department of Labor and Training (DLT) to validate reported applicant income. SWICA represents a critical external data source and interface within RIBridges. Criteria: The State selected SWICA data as a primary source to validate reported income by Medicaid and CHIP applicants. Federal regulations require that States maintain effective internal controls to ensure compliance with federal eligibility requirements for both programs, including the verification of applicant income. Inclusive in that responsibility are monitoring procedures to ensure that controls are operating as designed. Condition: Certain data mining procedures applied in conjunction with the testing of Medicaid eligibility for fiscal 2022, identified a significant number of State employees receiving Medical Assistance during the year. Analysis of the identified cases found that most were eligible for Medicaid or remained eligible due to federal restrictions on eligibility terminations during the public health emergency period. Our detailed case reviews, however, did identify some cases where known employee wages were not reporting through the SWICA interface as expected. Further follow-up with EOHHS staff identified that the SWICA interface was not operating as designed. Cause: The SWICA interface was not operating in accordance with its design objectives. DLT was reporting no income for employers with late quarterly filings. DLT was also not updating the data file periodically to populate late employer quarterly filings. Significant additional monitoring is needed over critical external data interfaces to ensure operational effectiveness. Effect: Eligibility for Medical Assistance for ineligible applicants. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-070a Correct operational deficiencies identified within RIBridges income validation interface. 2022-070b Implement monitoring procedures for critical external interfaces designed within RIBridges.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN?S HEALTH INSURANCE PROGRAM (CHIP) ? MATERIAL NONCOMPLIANCE The State did not materially comply with CHIP eligibility requirements during fiscal 2022. RIBridges is not fully evaluating all eligibility criteria to ensure compliance with federal regulations. Background: RIBridges, the State?s computer system used to manage multiple federally funded human service programs, determines eligibility for CHIP. During fiscal 2022, in response to the COVID-19 public health emergency (PHE), federal guidance and temporary changes to the State Plan continued to limit the State?s data verification procedures when evaluating eligibility of new program applicants and prohibited modifying recipient eligibility of existing recipients during the PHE. This finding focuses on the results from testing the more limited controls in place during fiscal 2022. Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty limit (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for individuals with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage would be eligible for Medical Assistance. Condition: Controls over CHIP eligibility determinations, except for the limitations described above, were largely unchanged during fiscal 2022. While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $4.9 million) through querying the MMIS for individuals meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility. For fiscal 2022, we tested a sample of 40 capitation payments (total population of 1.6 million payments totaling $107.7 million, federal share - $65.8 million) claimed to CHIP for limited eligibility requirements deemed applicable during the PHE. Operational and control deficiencies during fiscal 2022 resulted in material noncompliance with eligibility requirements for CHIP. For all exceptions, the State did not consider the existence of third-party health coverage when determining eligibility for CHIP. We found that two individuals out of the 40 tested were covered by existing health coverage at the time of the claim for a 5% error rate. The citizenship of one of the individuals considered ineligible was also not documented in accordance with federal regulations. Capitation and claims paid in relation to these individuals totaled $5,823 during fiscal 2022 (federal questioned costs - $4,237). These costs would be eligible for claiming to Medicaid. During fiscal 2022, RIBridges was not currently evaluating existing health coverage in conjunction with determining CHIP eligibility, a practice inconsistent with the CHIP State Plan. The State?s most effective data source for identifying third-party insurance (automated TPL data match with private insurers) is utilized in the MMIS but was not interfacing with RIBridges during fiscal 2022. Cause: Noncompliance with CHIP eligibility requirements is caused by CHIP specific programming deficiencies within RIBridges, most notably, the lack of functionality to consider the availability of existing health coverage at the time of application. Effect: Material noncompliance with federal requirements relating to recipient eligibility for CHIP. Questioned Costs: $4,237 Valid Statistical Sampling: Yes RECOMMENDATIONS 2022-064a Address and correct the RIBridges system deficiencies which weaken controls and result in material noncompliance with federal regulations regarding CHIP eligibility. 2022-064b Identify ineligible CHIP costs and return to the federal grantor.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2022-003. Capitation payments to MCOs represent approximately 60% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for individuals enrolled in managed care during fiscal 2022 approximated $1.9 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 303,301 Medicaid eligible individuals - approximately 91% of total Medicaid enrollees at June 30, 2022. These capitation payments related to the following managed care programs within the State?s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. These programs, however, operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Center for Medicare & Medicaid Services overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are impacted by the control deficiencies described in Finding 2022-003 relating to the State?s financial reporting and Finding 2022-065 relating to noncompliance with the federal requirements for MCO audit provisions. These deficiencies also impact controls over federal compliance with allowable cost principles in relation to managed care contract settlements. Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: Finding 2022-003, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls ? Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. Finding 2022-065, Managed Care Financial Audit ? CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State?s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2021 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2021 contract settlements. [See Schedule of Findings and Questioned Costs for table.] We also assessed controls to ensure the timely termination of eligibility for deceased individuals to prevent continued payment of managed care capitation after death. We found that the State had not ended eligibility in the MMIS for 127 individuals within 90 days of the date of death. This control deficiency resulted in managed care capitation totaling $467,740 (federal share - $391,994) paid for individuals who had been deceased for more than 90 days. Of that group, 77 individuals remained Medicaid active with capitation paid to the managed care organization for more than 180 days after death. While the State can recoup the capitation once the individual?s death is recorded and eligibility is ended, the delay in termination for deceased individuals further weakens overall controls relating to managed care contract settlements. The State should improve controls to ensure that capitation payments are not continued for Medicaid recipients after death. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: $391,994 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-067a Improve controls over compliance requirements for the allowability of federal expenditures by addressing related internal control deficiencies (including system limitations) over financial reporting and federal noncompliance that specifically impacts financial settlements with managed care organizations. 2022-067b Improve controls to ensure the timely termination of Medicaid eligibility for deceased individuals to prevent continued payment of managed care capitation after death.
FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State?s RIFANS accounting system is the official record of federal program expenditures and therefore should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures to authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2022 noted the following reporting deficiencies: ? Approximately $3.3 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. ? Reconciling administrative expenditures to the State Accounting System was not performed consistently by the State?s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. ? Amounts reported for benefit expenditures on the CMS-64 Report were in excess of amounts reported in the State Accounting System. While EOHHS believes this was caused by new reporting for reinvestments of the additional 10% federal reimbursement on home and community based services, EOHHS?s reconciliation between the CMS-64 Report and the State Accounting System did not provide documentation supporting the federal reporting difference. ? Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS-64 Report requirements. EOHHS, however, needs to consider whether other healthcare related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State Accounting System represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS-64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-068a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State?s integrated eligibility system. 2022-068b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2022-068c Conduct an analysis of healthcare related fees and taxes levied by the State to determine if other healthcare related taxes require reporting in the CMS-64 Report.
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR INDIVIDUALS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payor of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible individuals. For individuals enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. The State does not share identified TPL information with the MCOs. Criteria: 42 CFR section 433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island?s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid Program. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: Identification of TPL by managed care organizations - During fiscal 2022, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (individuals with Medicaid eligibility for the entire year) had verified TPL coverage that was similar to their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that possibly could have been cost avoided. We selected a random sample of encounter claims where the State reported verified third party liability coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Of the twenty instances where the State had verified insurance coverage for Medicaid individuals with three MCOs, those MCOs only had record of TPL in four of the instances. Validity of State Reported TPL Data - As a follow-up to the low number of TPL segments confirmed by the MCOs, we did an analysis of the State?s verified third party insurance data to evaluate its accuracy. With a concern that the State?s reported TPL verification was not completely reliable, we held discussions with EOHHS regarding the issue. EOHHS indicated that concerns had recently surfaced in regards to reported TPL in the MMIS. EOHHS had concerns that while the TPL data match was effectively identifying TPL segments, the interface with the MMIS was less effective in terminating active segments when coverage ended. Based on that concern, we performed an age analysis on current validated TPL segments at June 30, 2022 to evaluate EOHHS?s concerns. Our analysis was based on the likelihood that the older the TPL segment was, the more likely it was that the reported insurance coverage may no longer be effective. Our analysis identified that 62% of the reported 87,138 verified active TPL segments reported in the MMIS as of June 30, 2022 were older than 3 years old, and 36% were older than 5 years old. The high percentage of older TPL segments supports the concerns shared by EOHHS. Approximately 10% of reported verified TPL segments were older than 10 years. While possible, the likelihood that a verified TPL segment would not have any change required (i.e., policy number, coverage type, plan change) over those periods is questionable. Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2022 continue to support the need for immediate action by EOHHS. Immediate corrective actions are needed to first validate TPL data currently residing in the MMIS system. EOHHS should immediately require its MMIS contractor to validate TPL segments for active Medicaid recipients. Once validated, the MMIS contractor should address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. Additionally, once the validated TPL data segments are identified for current Medicaid recipients, that data should be shared with the managed care organizations to ensure that those entities have updated recipient TPL data. EOHHS should also implement enhanced monitoring procedures over MCO TPL identification and cost avoidance to ensure that the MCOs are complying with federal regulations and contractual agreements. Cause: Control deficiencies resulting in inaccurate TPL data residing in the MMIS. Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-069a Coordinate with the MMIS contractor to validate TPL segments for active Medicaid recipients and address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. 2022-069b Share and match identified TPL coverage with the MCOs upon enrollment and as an individual?s TPL status changes. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CONTROLS OVER CRITICAL SYSTEM DATA INTERFACES WITHIN THE RIBRIDGES ELIGIBILITY SYSTEM Controls need to be improved to ensure that critical external data interfaces are operating as designed within the RIBridges system. Background: The State?s integrated eligibility system, RIBridges, was designed to utilize various external data sources interfaced with the system to validate applicant data. The objective was to eliminate the need for applicants to provide documentation supporting their eligibility for Medicaid or CHIP if the information was validated by independent external data sources. RIBridges utilizes the State Wage Information Collection Agency (SWICA) data, quarterly employer wage data, provided by the RI Department of Labor and Training (DLT) to validate reported applicant income. SWICA represents a critical external data source and interface within RIBridges. Criteria: The State selected SWICA data as a primary source to validate reported income by Medicaid and CHIP applicants. Federal regulations require that States maintain effective internal controls to ensure compliance with federal eligibility requirements for both programs, including the verification of applicant income. Inclusive in that responsibility are monitoring procedures to ensure that controls are operating as designed. Condition: Certain data mining procedures applied in conjunction with the testing of Medicaid eligibility for fiscal 2022, identified a significant number of State employees receiving Medical Assistance during the year. Analysis of the identified cases found that most were eligible for Medicaid or remained eligible due to federal restrictions on eligibility terminations during the public health emergency period. Our detailed case reviews, however, did identify some cases where known employee wages were not reporting through the SWICA interface as expected. Further follow-up with EOHHS staff identified that the SWICA interface was not operating as designed. Cause: The SWICA interface was not operating in accordance with its design objectives. DLT was reporting no income for employers with late quarterly filings. DLT was also not updating the data file periodically to populate late employer quarterly filings. Significant additional monitoring is needed over critical external data interfaces to ensure operational effectiveness. Effect: Eligibility for Medical Assistance for ineligible applicants. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-070a Correct operational deficiencies identified within RIBridges income validation interface. 2022-070b Implement monitoring procedures for critical external interfaces designed within RIBridges.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2022-003. Capitation payments to MCOs represent approximately 60% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for individuals enrolled in managed care during fiscal 2022 approximated $1.9 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 303,301 Medicaid eligible individuals - approximately 91% of total Medicaid enrollees at June 30, 2022. These capitation payments related to the following managed care programs within the State?s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. These programs, however, operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Center for Medicare & Medicaid Services overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are impacted by the control deficiencies described in Finding 2022-003 relating to the State?s financial reporting and Finding 2022-065 relating to noncompliance with the federal requirements for MCO audit provisions. These deficiencies also impact controls over federal compliance with allowable cost principles in relation to managed care contract settlements. Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: Finding 2022-003, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls ? Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. Finding 2022-065, Managed Care Financial Audit ? CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State?s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2021 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2021 contract settlements. [See Schedule of Findings and Questioned Costs for table.] We also assessed controls to ensure the timely termination of eligibility for deceased individuals to prevent continued payment of managed care capitation after death. We found that the State had not ended eligibility in the MMIS for 127 individuals within 90 days of the date of death. This control deficiency resulted in managed care capitation totaling $467,740 (federal share - $391,994) paid for individuals who had been deceased for more than 90 days. Of that group, 77 individuals remained Medicaid active with capitation paid to the managed care organization for more than 180 days after death. While the State can recoup the capitation once the individual?s death is recorded and eligibility is ended, the delay in termination for deceased individuals further weakens overall controls relating to managed care contract settlements. The State should improve controls to ensure that capitation payments are not continued for Medicaid recipients after death. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: $391,994 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-067a Improve controls over compliance requirements for the allowability of federal expenditures by addressing related internal control deficiencies (including system limitations) over financial reporting and federal noncompliance that specifically impacts financial settlements with managed care organizations. 2022-067b Improve controls to ensure the timely termination of Medicaid eligibility for deceased individuals to prevent continued payment of managed care capitation after death.
FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State?s RIFANS accounting system is the official record of federal program expenditures and therefore should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures to authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2022 noted the following reporting deficiencies: ? Approximately $3.3 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. ? Reconciling administrative expenditures to the State Accounting System was not performed consistently by the State?s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. ? Amounts reported for benefit expenditures on the CMS-64 Report were in excess of amounts reported in the State Accounting System. While EOHHS believes this was caused by new reporting for reinvestments of the additional 10% federal reimbursement on home and community based services, EOHHS?s reconciliation between the CMS-64 Report and the State Accounting System did not provide documentation supporting the federal reporting difference. ? Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS-64 Report requirements. EOHHS, however, needs to consider whether other healthcare related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State Accounting System represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS-64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-068a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State?s integrated eligibility system. 2022-068b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2022-068c Conduct an analysis of healthcare related fees and taxes levied by the State to determine if other healthcare related taxes require reporting in the CMS-64 Report.
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR INDIVIDUALS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payor of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible individuals. For individuals enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. The State does not share identified TPL information with the MCOs. Criteria: 42 CFR section 433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island?s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid Program. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: Identification of TPL by managed care organizations - During fiscal 2022, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (individuals with Medicaid eligibility for the entire year) had verified TPL coverage that was similar to their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that possibly could have been cost avoided. We selected a random sample of encounter claims where the State reported verified third party liability coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Of the twenty instances where the State had verified insurance coverage for Medicaid individuals with three MCOs, those MCOs only had record of TPL in four of the instances. Validity of State Reported TPL Data - As a follow-up to the low number of TPL segments confirmed by the MCOs, we did an analysis of the State?s verified third party insurance data to evaluate its accuracy. With a concern that the State?s reported TPL verification was not completely reliable, we held discussions with EOHHS regarding the issue. EOHHS indicated that concerns had recently surfaced in regards to reported TPL in the MMIS. EOHHS had concerns that while the TPL data match was effectively identifying TPL segments, the interface with the MMIS was less effective in terminating active segments when coverage ended. Based on that concern, we performed an age analysis on current validated TPL segments at June 30, 2022 to evaluate EOHHS?s concerns. Our analysis was based on the likelihood that the older the TPL segment was, the more likely it was that the reported insurance coverage may no longer be effective. Our analysis identified that 62% of the reported 87,138 verified active TPL segments reported in the MMIS as of June 30, 2022 were older than 3 years old, and 36% were older than 5 years old. The high percentage of older TPL segments supports the concerns shared by EOHHS. Approximately 10% of reported verified TPL segments were older than 10 years. While possible, the likelihood that a verified TPL segment would not have any change required (i.e., policy number, coverage type, plan change) over those periods is questionable. Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2022 continue to support the need for immediate action by EOHHS. Immediate corrective actions are needed to first validate TPL data currently residing in the MMIS system. EOHHS should immediately require its MMIS contractor to validate TPL segments for active Medicaid recipients. Once validated, the MMIS contractor should address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. Additionally, once the validated TPL data segments are identified for current Medicaid recipients, that data should be shared with the managed care organizations to ensure that those entities have updated recipient TPL data. EOHHS should also implement enhanced monitoring procedures over MCO TPL identification and cost avoidance to ensure that the MCOs are complying with federal regulations and contractual agreements. Cause: Control deficiencies resulting in inaccurate TPL data residing in the MMIS. Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-069a Coordinate with the MMIS contractor to validate TPL segments for active Medicaid recipients and address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. 2022-069b Share and match identified TPL coverage with the MCOs upon enrollment and as an individual?s TPL status changes. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CONTROLS OVER CRITICAL SYSTEM DATA INTERFACES WITHIN THE RIBRIDGES ELIGIBILITY SYSTEM Controls need to be improved to ensure that critical external data interfaces are operating as designed within the RIBridges system. Background: The State?s integrated eligibility system, RIBridges, was designed to utilize various external data sources interfaced with the system to validate applicant data. The objective was to eliminate the need for applicants to provide documentation supporting their eligibility for Medicaid or CHIP if the information was validated by independent external data sources. RIBridges utilizes the State Wage Information Collection Agency (SWICA) data, quarterly employer wage data, provided by the RI Department of Labor and Training (DLT) to validate reported applicant income. SWICA represents a critical external data source and interface within RIBridges. Criteria: The State selected SWICA data as a primary source to validate reported income by Medicaid and CHIP applicants. Federal regulations require that States maintain effective internal controls to ensure compliance with federal eligibility requirements for both programs, including the verification of applicant income. Inclusive in that responsibility are monitoring procedures to ensure that controls are operating as designed. Condition: Certain data mining procedures applied in conjunction with the testing of Medicaid eligibility for fiscal 2022, identified a significant number of State employees receiving Medical Assistance during the year. Analysis of the identified cases found that most were eligible for Medicaid or remained eligible due to federal restrictions on eligibility terminations during the public health emergency period. Our detailed case reviews, however, did identify some cases where known employee wages were not reporting through the SWICA interface as expected. Further follow-up with EOHHS staff identified that the SWICA interface was not operating as designed. Cause: The SWICA interface was not operating in accordance with its design objectives. DLT was reporting no income for employers with late quarterly filings. DLT was also not updating the data file periodically to populate late employer quarterly filings. Significant additional monitoring is needed over critical external data interfaces to ensure operational effectiveness. Effect: Eligibility for Medical Assistance for ineligible applicants. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-070a Correct operational deficiencies identified within RIBridges income validation interface. 2022-070b Implement monitoring procedures for critical external interfaces designed within RIBridges.
CONTROLS OVER LONG-TERM CARE FACILITY RATE SETTING The State?s current practices for long-term care facility rate setting do not fully comply with its State plan provisions requiring an annual review of nursing facility rates and related provider cost report audit requirements. Background: Nursing Facility Reimbursement - EOHHS reimburses long-term care providers using a full Resource Utilization Groups (?RUG?) system. Under the RUG system, each long-term care facility has a base per diem rate that applies to all residents that is comprised of direct nursing care and other direct care costs, indirect care, fair rental value, property taxes, direct care and gain/loss policy adjustors, and a provider assessment. Each long-term care resident is assigned a RUG score that reflects the individual?s expected resource utilization. A RUG score multiplier adjusts the provider base rate to a recipient-specific per diem rate to reflect the anticipated costs of caring for each resident. The CMS-approved RUG methodology requires that EOHHS conduct a rate review every three years (at a minimum) to determine if the original cost components used to establish the base rates are still appropriate. The State Plan also requires audits of the financial and statistical records of each participating provider. Criteria: 42 CFR section 447.250 requires that the State Plan provide for payment of hospital and long-term care facility services through rates that the State determines are reasonable and adequate to meet the costs that must be incurred by efficiently and economically operated facilities to provide services in conformity with State and Federal laws, regulations, and quality and safety standards. Condition: Nursing Facility Reimbursement ? EOHHS has not formalized its triennial rate review required by CMS in its approval of the RUG methodology. EOHHS has also not complied with the periodic audit requirements of the financial records of providers as required by the CMS-approved State Plan. Cause: EOHHS has not documented its compliance with annual rate review procedures detailed in its approved State Plan for long-term care facility rate setting. The State has also not performed long-term care facility (nursing home) audits detailed in the State Plan. Effect: Rate setting procedures for long-term care providers do not fully comply with approved State Plan requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-071 Document compliance with the Federal and State plan rate review and periodic audit requirements for long-term care providers or amend the State Plan with CMS approval to align to current practices.
MEDICAID NATIONAL CORRECT CODING INITIATIVE (NCCI) Controls to ensure NCCI claims processing edits are functioning over Medicaid activity require improvement to ensure compliance with federal regulations. Criteria: Federal regulations (Section 1903(r) of the Social Security Act) requires State Medicaid agencies to incorporate NCCI methodologies into State Medicaid programs. Application of the NCCI methodologies to fee-for-service claims processed by the State Medicaid Agency (SMA) are required. Fee-for-service claims processed by other entities, such as managed care organizations are applicable only if required by the SMA. Condition: While our test claim procedures found the NCCI edits to be operating as designed in the MMIS, our review of the State?s application of NCCI edit methodologies noted the following areas for program improvements: a. The State should consider incorporating review of the application of NCCI edits into the scope of the Service Organization Control Review conducted annually of the State?s claims processing system and related fiscal agent controls to ensure continued operation of the NCCI federal requirements within the MMIS. The NCCI edits were reviewed upon initial implementation and found to be operational; however, controls should be improved to ensure that those edits remain operational on an annual basis. b. It was unclear whether Medicaid claims processing by the State?s MCOs applied the NCCI methodologies. Claims processed by MCOs represent the majority of program expenditures within the State Medicaid program. Managed care contracts did not specifically require application of NCCI edits within the MCO claims processing systems. EOHHS should consider whether to formalize this requirement going forward to apply these edits to a material segment of Medicaid expenditures. c. We noted that the NCCI edits were not applied in the MMIS in the order specified by the federal regulations; however, we do not believe this had a significant impact on compliance. d. For some of our individual case tests, the MMIS did not reject certain procedure to procedure edits that are included in the NCCI edits. The MMIS contractor could not provide a specific reason as to why these edits were not performing as expected in the test environment. Our analysis of actual claim edits during the year did include several procedure-to-procedure edits that were denied by the MMIS so it was unclear as to why certain specific procedure-to-procedure edits were not functioning as expected in the test environment. Cause: Lack of NCCI edit monitoring procedures by EOHHS and limited instances of noncompliance with the NCCI Medicaid Technical Guidance. Effect: Potential noncompliance with NCCI special test and provision federal requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-072a Include review of the application of NCCI edits into the scope of the Service Organization Control Review conducted annually of the State?s claims processing system and related fiscal agent controls to ensure continued operation of the NCCI federal requirements within the MMIS. 2022-072b Ensure that the State?s procurement of a new Medicaid Management Information System includes the requirements outlined in the NCCI Medicaid Technical Guidance issued by CMS. 2022-072c Consider in future MCO contract procurements, the benefits of mandating MCOs to implement NCCI edits within their claim processing systems to enhance program integrity over managed care claiming.
SERVICES PROVIDED TO CHILDREN IN THE STATE?S CUSTODY BY THE DEPARTMENT OF CHILDREN, YOUTH, AND FAMILIES (DCYF) BILLED TO MEDICAID Certain psychiatric residential treatment facility (PRTF) services provided to children in the State?s custody have been charged to Medicaid in fiscal 2022 in accordance with a methodology that is pending State Plan Approval. Controls over other services provided to children in the State?s custody would be improved if processed through the Medicaid Management Information System (MMIS). Background: EOHHS, the Single State Medicaid Agency, administers claiming to Medicaid from other health and human service State agencies (such as DCYF) through the execution of Interagency Service Agreements (ISAs). The ISA provides approval by the Single State Medicaid Agency that the proposed services are allowable and the necessary requirements that the other agency must comply with to support the allowability of the claims to Medicaid. Services authorized by the ISAs should be claimed in accordance with approved State Plan requirements. PRTF services (which began in fiscal 2020) claimed by DCYF to Medicaid are an identified service within the ISA. The approval to claim these services based on an all-inclusive rate determined through a cost-based methodology is still pending with the Centers for Medicare and Medicaid Services (CMS). In fiscal 2022, the reimbursement rate was established based on a budget submitted by the service provider. Criteria: Federal approval to reimburse PRTF service providers based on a cost reimbursement methodology is currently pending with CMS. Reimbursing providers in accordance with an approved State Plan methodology is a requirement for considering the allowability of federal expenditures. Condition: DCYF implemented psychiatric residential treatment facility (PRTF) services during fiscal 2020 to provide a current level of service to children in the State?s custody that was previously lacking. Previously, DCYF allocated claiming for all contracted youth placement providers to Medicaid based on a time study methodology (partial charging, previously based on underlying time study allocation for treatment and assessment component of service provided). PRTF placements were a change in that certified and licensed facilities would be charged at 100% of the contracted per diem rate (set based on a cost reimbursement methodology) to Medicaid. Medicaid reimbursements have been made to DCYF since inception based on the new methodology, even though State Plan approval of that cost reimbursement methodology is still pending. DCYF was reimbursed approximately $3.9 million for PRTF services provided to children in the State?s custody during fiscal 2022. During our audit, we also noted that approximately $19 million in other services to children in the State?s custody are being claimed to Medicaid through journal entries in the State Accounting System. Controls over these services would be greatly enhanced if these providers submitted claims to the MMIS directly for reimbursement. Allowing fee-for-service claiming to be reimbursed by Medicaid external to the MMIS significantly weakens program controls. Cause: Medicaid reimbursements of PRTF services to DCYF during fiscal 2022 were based on a reimbursement methodology which is pending State Plan Amendment approval by CMS. Control weaknesses exist when Medicaid claiming is not processed through the MMIS. Effect: Potential noncompliance with federal regulations for allowable costs/cost principles. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-073a Ensure that PRTF services are reimbursed to DCYF in accordance with the currently approved Medicaid State Plan. 2022-073b Ensure that allowable medical services provided by DCYF providers are billed directly to the MMIS and subject to all designed claims processing, recipient eligibility, and provider eligibility controls.
ALLOWABLE COSTS ? MEDICAL ASSISTANCE Controls need to be improved to ensure that certain program expenditures comply with federal allowable cost requirements. Criteria: Section 200.403 of the Uniform Guidance requires that costs conform to limitations set forth in the Uniform Guidance as to types or amounts of cost items and that such costs should be adequately documented. Section 200.410 of the Uniform Guidance indicates that payments made for costs determined to be unallowable must be refunded to the Federal Government. Condition: Agreement and support of contractor costs to underlying contracts ? In reviewing certain sample contractor invoices charged to Medicaid, the supporting documentation provided did not agree with the underlying contract for detailed cost items or the support could not be readily agreed to the underlying contract (questioned costs - $4,043, federal share - $3,639). Local Education Agency Claiming Reviews ? EOHHS conducts periodic claiming reviews of Local Education Agency documentation for special education services reimbursed by Medicaid. In conjunction with those reviews, services that are not documented in accordance with the State?s policies and procedures for special education services are deemed unallowable. The OAG identified unallowable claiming totaling $37 (federal share- $23) that was not recouped from the provider and credited back to the federal grantor. Documentation of support on hand at the time of invoice review and approval by EOHHS was difficult to determine. Our review of most high dollar contractor invoices required significant follow-up with the agency to agree amounts to the underlying contracts. Cause: The documentation of invoice reviews (especially high dollar contractor invoices) by EOHHS was lacking in certain areas resulting in significant follow-up with the agency and identification of the questioned costs above. While EOHHS reviews of special education claiming were well documented, procedural improvements to ensure that recoupments are made for identified services deemed unallowable are needed. Effect: Failure to comply with Uniform Guidance requirements for the allowability of program expenditures. Questioned Costs: $3,662 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-074a Implement enhanced invoice review documentation requirements for significant contractor invoices to ensure compliance with Uniform Guidance requirements over allowable costs in the Medicaid Program. 2022-074b Improve procedures to ensure that recoupments are made for identified special education services deemed unallowable for Medicaid reimbursement.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2022-003. Capitation payments to MCOs represent approximately 60% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for individuals enrolled in managed care during fiscal 2022 approximated $1.9 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 303,301 Medicaid eligible individuals - approximately 91% of total Medicaid enrollees at June 30, 2022. These capitation payments related to the following managed care programs within the State?s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. These programs, however, operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Center for Medicare & Medicaid Services overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are impacted by the control deficiencies described in Finding 2022-003 relating to the State?s financial reporting and Finding 2022-065 relating to noncompliance with the federal requirements for MCO audit provisions. These deficiencies also impact controls over federal compliance with allowable cost principles in relation to managed care contract settlements. Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: Finding 2022-003, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls ? Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. Finding 2022-065, Managed Care Financial Audit ? CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State?s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2021 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2021 contract settlements. [See Schedule of Findings and Questioned Costs for table.] We also assessed controls to ensure the timely termination of eligibility for deceased individuals to prevent continued payment of managed care capitation after death. We found that the State had not ended eligibility in the MMIS for 127 individuals within 90 days of the date of death. This control deficiency resulted in managed care capitation totaling $467,740 (federal share - $391,994) paid for individuals who had been deceased for more than 90 days. Of that group, 77 individuals remained Medicaid active with capitation paid to the managed care organization for more than 180 days after death. While the State can recoup the capitation once the individual?s death is recorded and eligibility is ended, the delay in termination for deceased individuals further weakens overall controls relating to managed care contract settlements. The State should improve controls to ensure that capitation payments are not continued for Medicaid recipients after death. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: $391,994 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-067a Improve controls over compliance requirements for the allowability of federal expenditures by addressing related internal control deficiencies (including system limitations) over financial reporting and federal noncompliance that specifically impacts financial settlements with managed care organizations. 2022-067b Improve controls to ensure the timely termination of Medicaid eligibility for deceased individuals to prevent continued payment of managed care capitation after death.
FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State?s RIFANS accounting system is the official record of federal program expenditures and therefore should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures to authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2022 noted the following reporting deficiencies: ? Approximately $3.3 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. ? Reconciling administrative expenditures to the State Accounting System was not performed consistently by the State?s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. ? Amounts reported for benefit expenditures on the CMS-64 Report were in excess of amounts reported in the State Accounting System. While EOHHS believes this was caused by new reporting for reinvestments of the additional 10% federal reimbursement on home and community based services, EOHHS?s reconciliation between the CMS-64 Report and the State Accounting System did not provide documentation supporting the federal reporting difference. ? Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS-64 Report requirements. EOHHS, however, needs to consider whether other healthcare related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State Accounting System represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS-64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-068a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State?s integrated eligibility system. 2022-068b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2022-068c Conduct an analysis of healthcare related fees and taxes levied by the State to determine if other healthcare related taxes require reporting in the CMS-64 Report.
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR INDIVIDUALS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payor of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible individuals. For individuals enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. The State does not share identified TPL information with the MCOs. Criteria: 42 CFR section 433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island?s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid Program. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: Identification of TPL by managed care organizations - During fiscal 2022, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (individuals with Medicaid eligibility for the entire year) had verified TPL coverage that was similar to their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that possibly could have been cost avoided. We selected a random sample of encounter claims where the State reported verified third party liability coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Of the twenty instances where the State had verified insurance coverage for Medicaid individuals with three MCOs, those MCOs only had record of TPL in four of the instances. Validity of State Reported TPL Data - As a follow-up to the low number of TPL segments confirmed by the MCOs, we did an analysis of the State?s verified third party insurance data to evaluate its accuracy. With a concern that the State?s reported TPL verification was not completely reliable, we held discussions with EOHHS regarding the issue. EOHHS indicated that concerns had recently surfaced in regards to reported TPL in the MMIS. EOHHS had concerns that while the TPL data match was effectively identifying TPL segments, the interface with the MMIS was less effective in terminating active segments when coverage ended. Based on that concern, we performed an age analysis on current validated TPL segments at June 30, 2022 to evaluate EOHHS?s concerns. Our analysis was based on the likelihood that the older the TPL segment was, the more likely it was that the reported insurance coverage may no longer be effective. Our analysis identified that 62% of the reported 87,138 verified active TPL segments reported in the MMIS as of June 30, 2022 were older than 3 years old, and 36% were older than 5 years old. The high percentage of older TPL segments supports the concerns shared by EOHHS. Approximately 10% of reported verified TPL segments were older than 10 years. While possible, the likelihood that a verified TPL segment would not have any change required (i.e., policy number, coverage type, plan change) over those periods is questionable. Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2022 continue to support the need for immediate action by EOHHS. Immediate corrective actions are needed to first validate TPL data currently residing in the MMIS system. EOHHS should immediately require its MMIS contractor to validate TPL segments for active Medicaid recipients. Once validated, the MMIS contractor should address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. Additionally, once the validated TPL data segments are identified for current Medicaid recipients, that data should be shared with the managed care organizations to ensure that those entities have updated recipient TPL data. EOHHS should also implement enhanced monitoring procedures over MCO TPL identification and cost avoidance to ensure that the MCOs are complying with federal regulations and contractual agreements. Cause: Control deficiencies resulting in inaccurate TPL data residing in the MMIS. Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-069a Coordinate with the MMIS contractor to validate TPL segments for active Medicaid recipients and address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. 2022-069b Share and match identified TPL coverage with the MCOs upon enrollment and as an individual?s TPL status changes. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CONTROLS OVER CRITICAL SYSTEM DATA INTERFACES WITHIN THE RIBRIDGES ELIGIBILITY SYSTEM Controls need to be improved to ensure that critical external data interfaces are operating as designed within the RIBridges system. Background: The State?s integrated eligibility system, RIBridges, was designed to utilize various external data sources interfaced with the system to validate applicant data. The objective was to eliminate the need for applicants to provide documentation supporting their eligibility for Medicaid or CHIP if the information was validated by independent external data sources. RIBridges utilizes the State Wage Information Collection Agency (SWICA) data, quarterly employer wage data, provided by the RI Department of Labor and Training (DLT) to validate reported applicant income. SWICA represents a critical external data source and interface within RIBridges. Criteria: The State selected SWICA data as a primary source to validate reported income by Medicaid and CHIP applicants. Federal regulations require that States maintain effective internal controls to ensure compliance with federal eligibility requirements for both programs, including the verification of applicant income. Inclusive in that responsibility are monitoring procedures to ensure that controls are operating as designed. Condition: Certain data mining procedures applied in conjunction with the testing of Medicaid eligibility for fiscal 2022, identified a significant number of State employees receiving Medical Assistance during the year. Analysis of the identified cases found that most were eligible for Medicaid or remained eligible due to federal restrictions on eligibility terminations during the public health emergency period. Our detailed case reviews, however, did identify some cases where known employee wages were not reporting through the SWICA interface as expected. Further follow-up with EOHHS staff identified that the SWICA interface was not operating as designed. Cause: The SWICA interface was not operating in accordance with its design objectives. DLT was reporting no income for employers with late quarterly filings. DLT was also not updating the data file periodically to populate late employer quarterly filings. Significant additional monitoring is needed over critical external data interfaces to ensure operational effectiveness. Effect: Eligibility for Medical Assistance for ineligible applicants. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-070a Correct operational deficiencies identified within RIBridges income validation interface. 2022-070b Implement monitoring procedures for critical external interfaces designed within RIBridges.
CONTROLS OVER LONG-TERM CARE FACILITY RATE SETTING The State?s current practices for long-term care facility rate setting do not fully comply with its State plan provisions requiring an annual review of nursing facility rates and related provider cost report audit requirements. Background: Nursing Facility Reimbursement - EOHHS reimburses long-term care providers using a full Resource Utilization Groups (?RUG?) system. Under the RUG system, each long-term care facility has a base per diem rate that applies to all residents that is comprised of direct nursing care and other direct care costs, indirect care, fair rental value, property taxes, direct care and gain/loss policy adjustors, and a provider assessment. Each long-term care resident is assigned a RUG score that reflects the individual?s expected resource utilization. A RUG score multiplier adjusts the provider base rate to a recipient-specific per diem rate to reflect the anticipated costs of caring for each resident. The CMS-approved RUG methodology requires that EOHHS conduct a rate review every three years (at a minimum) to determine if the original cost components used to establish the base rates are still appropriate. The State Plan also requires audits of the financial and statistical records of each participating provider. Criteria: 42 CFR section 447.250 requires that the State Plan provide for payment of hospital and long-term care facility services through rates that the State determines are reasonable and adequate to meet the costs that must be incurred by efficiently and economically operated facilities to provide services in conformity with State and Federal laws, regulations, and quality and safety standards. Condition: Nursing Facility Reimbursement ? EOHHS has not formalized its triennial rate review required by CMS in its approval of the RUG methodology. EOHHS has also not complied with the periodic audit requirements of the financial records of providers as required by the CMS-approved State Plan. Cause: EOHHS has not documented its compliance with annual rate review procedures detailed in its approved State Plan for long-term care facility rate setting. The State has also not performed long-term care facility (nursing home) audits detailed in the State Plan. Effect: Rate setting procedures for long-term care providers do not fully comply with approved State Plan requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-071 Document compliance with the Federal and State plan rate review and periodic audit requirements for long-term care providers or amend the State Plan with CMS approval to align to current practices.
MEDICAID NATIONAL CORRECT CODING INITIATIVE (NCCI) Controls to ensure NCCI claims processing edits are functioning over Medicaid activity require improvement to ensure compliance with federal regulations. Criteria: Federal regulations (Section 1903(r) of the Social Security Act) requires State Medicaid agencies to incorporate NCCI methodologies into State Medicaid programs. Application of the NCCI methodologies to fee-for-service claims processed by the State Medicaid Agency (SMA) are required. Fee-for-service claims processed by other entities, such as managed care organizations are applicable only if required by the SMA. Condition: While our test claim procedures found the NCCI edits to be operating as designed in the MMIS, our review of the State?s application of NCCI edit methodologies noted the following areas for program improvements: a. The State should consider incorporating review of the application of NCCI edits into the scope of the Service Organization Control Review conducted annually of the State?s claims processing system and related fiscal agent controls to ensure continued operation of the NCCI federal requirements within the MMIS. The NCCI edits were reviewed upon initial implementation and found to be operational; however, controls should be improved to ensure that those edits remain operational on an annual basis. b. It was unclear whether Medicaid claims processing by the State?s MCOs applied the NCCI methodologies. Claims processed by MCOs represent the majority of program expenditures within the State Medicaid program. Managed care contracts did not specifically require application of NCCI edits within the MCO claims processing systems. EOHHS should consider whether to formalize this requirement going forward to apply these edits to a material segment of Medicaid expenditures. c. We noted that the NCCI edits were not applied in the MMIS in the order specified by the federal regulations; however, we do not believe this had a significant impact on compliance. d. For some of our individual case tests, the MMIS did not reject certain procedure to procedure edits that are included in the NCCI edits. The MMIS contractor could not provide a specific reason as to why these edits were not performing as expected in the test environment. Our analysis of actual claim edits during the year did include several procedure-to-procedure edits that were denied by the MMIS so it was unclear as to why certain specific procedure-to-procedure edits were not functioning as expected in the test environment. Cause: Lack of NCCI edit monitoring procedures by EOHHS and limited instances of noncompliance with the NCCI Medicaid Technical Guidance. Effect: Potential noncompliance with NCCI special test and provision federal requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-072a Include review of the application of NCCI edits into the scope of the Service Organization Control Review conducted annually of the State?s claims processing system and related fiscal agent controls to ensure continued operation of the NCCI federal requirements within the MMIS. 2022-072b Ensure that the State?s procurement of a new Medicaid Management Information System includes the requirements outlined in the NCCI Medicaid Technical Guidance issued by CMS. 2022-072c Consider in future MCO contract procurements, the benefits of mandating MCOs to implement NCCI edits within their claim processing systems to enhance program integrity over managed care claiming.
SERVICES PROVIDED TO CHILDREN IN THE STATE?S CUSTODY BY THE DEPARTMENT OF CHILDREN, YOUTH, AND FAMILIES (DCYF) BILLED TO MEDICAID Certain psychiatric residential treatment facility (PRTF) services provided to children in the State?s custody have been charged to Medicaid in fiscal 2022 in accordance with a methodology that is pending State Plan Approval. Controls over other services provided to children in the State?s custody would be improved if processed through the Medicaid Management Information System (MMIS). Background: EOHHS, the Single State Medicaid Agency, administers claiming to Medicaid from other health and human service State agencies (such as DCYF) through the execution of Interagency Service Agreements (ISAs). The ISA provides approval by the Single State Medicaid Agency that the proposed services are allowable and the necessary requirements that the other agency must comply with to support the allowability of the claims to Medicaid. Services authorized by the ISAs should be claimed in accordance with approved State Plan requirements. PRTF services (which began in fiscal 2020) claimed by DCYF to Medicaid are an identified service within the ISA. The approval to claim these services based on an all-inclusive rate determined through a cost-based methodology is still pending with the Centers for Medicare and Medicaid Services (CMS). In fiscal 2022, the reimbursement rate was established based on a budget submitted by the service provider. Criteria: Federal approval to reimburse PRTF service providers based on a cost reimbursement methodology is currently pending with CMS. Reimbursing providers in accordance with an approved State Plan methodology is a requirement for considering the allowability of federal expenditures. Condition: DCYF implemented psychiatric residential treatment facility (PRTF) services during fiscal 2020 to provide a current level of service to children in the State?s custody that was previously lacking. Previously, DCYF allocated claiming for all contracted youth placement providers to Medicaid based on a time study methodology (partial charging, previously based on underlying time study allocation for treatment and assessment component of service provided). PRTF placements were a change in that certified and licensed facilities would be charged at 100% of the contracted per diem rate (set based on a cost reimbursement methodology) to Medicaid. Medicaid reimbursements have been made to DCYF since inception based on the new methodology, even though State Plan approval of that cost reimbursement methodology is still pending. DCYF was reimbursed approximately $3.9 million for PRTF services provided to children in the State?s custody during fiscal 2022. During our audit, we also noted that approximately $19 million in other services to children in the State?s custody are being claimed to Medicaid through journal entries in the State Accounting System. Controls over these services would be greatly enhanced if these providers submitted claims to the MMIS directly for reimbursement. Allowing fee-for-service claiming to be reimbursed by Medicaid external to the MMIS significantly weakens program controls. Cause: Medicaid reimbursements of PRTF services to DCYF during fiscal 2022 were based on a reimbursement methodology which is pending State Plan Amendment approval by CMS. Control weaknesses exist when Medicaid claiming is not processed through the MMIS. Effect: Potential noncompliance with federal regulations for allowable costs/cost principles. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-073a Ensure that PRTF services are reimbursed to DCYF in accordance with the currently approved Medicaid State Plan. 2022-073b Ensure that allowable medical services provided by DCYF providers are billed directly to the MMIS and subject to all designed claims processing, recipient eligibility, and provider eligibility controls.
ALLOWABLE COSTS ? MEDICAL ASSISTANCE Controls need to be improved to ensure that certain program expenditures comply with federal allowable cost requirements. Criteria: Section 200.403 of the Uniform Guidance requires that costs conform to limitations set forth in the Uniform Guidance as to types or amounts of cost items and that such costs should be adequately documented. Section 200.410 of the Uniform Guidance indicates that payments made for costs determined to be unallowable must be refunded to the Federal Government. Condition: Agreement and support of contractor costs to underlying contracts ? In reviewing certain sample contractor invoices charged to Medicaid, the supporting documentation provided did not agree with the underlying contract for detailed cost items or the support could not be readily agreed to the underlying contract (questioned costs - $4,043, federal share - $3,639). Local Education Agency Claiming Reviews ? EOHHS conducts periodic claiming reviews of Local Education Agency documentation for special education services reimbursed by Medicaid. In conjunction with those reviews, services that are not documented in accordance with the State?s policies and procedures for special education services are deemed unallowable. The OAG identified unallowable claiming totaling $37 (federal share- $23) that was not recouped from the provider and credited back to the federal grantor. Documentation of support on hand at the time of invoice review and approval by EOHHS was difficult to determine. Our review of most high dollar contractor invoices required significant follow-up with the agency to agree amounts to the underlying contracts. Cause: The documentation of invoice reviews (especially high dollar contractor invoices) by EOHHS was lacking in certain areas resulting in significant follow-up with the agency and identification of the questioned costs above. While EOHHS reviews of special education claiming were well documented, procedural improvements to ensure that recoupments are made for identified services deemed unallowable are needed. Effect: Failure to comply with Uniform Guidance requirements for the allowability of program expenditures. Questioned Costs: $3,662 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-074a Implement enhanced invoice review documentation requirements for significant contractor invoices to ensure compliance with Uniform Guidance requirements over allowable costs in the Medicaid Program. 2022-074b Improve procedures to ensure that recoupments are made for identified special education services deemed unallowable for Medicaid reimbursement.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
CONTROLS OVER PANDEMIC-RELATED EXPENDITURES ALLOCABLE TO MULTIPLE FEDERAL AWARDS The State had insufficient controls to ensure expenditures were not reimbursed from more than one award under federal programs with similar pandemic response related objectives. Background: The State received an unprecedented amount of federal assistance to respond to the effects of the global pandemic including $1.25 billion for the Coronavirus Relief Fund (CRF) pursuant to the CARES Act. Assistance was also received under the FEMA Stafford Act Disaster Grants program and the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program. Certain costs were reimbursable under any of these programs and federal guidance was continually evolving which resulted in changing direction as to which costs were to be applied to a specific federal award. As guidelines and circumstances changed expenditures were often applied to one funding source and then subsequently adjusted to another funding source. Adjustments of program expenditures between federal programs often overlapped fiscal years due to the length of the pandemic. Criteria: Expenditures may only be reimbursed from one federal award. Condition: Due to changing federal guidelines and the evolving State response to the pandemic, costs were often charged to one funding source and then later moved to another funding source. When expenditures are reclassified or reallocated within the RIFANS accounting system, journal entries are used to move the aggregate dollar activity; however, the original transaction (expenditure/disbursement) remains in the account originally charged offset by a credit. This process complicates the identification of the underlying expenditures reimbursed by the federal award and increases the risk that expenditures could be reimbursed from more than one federal award. During fiscal 2022, we noted the following adjustments to financial activity supporting the cited control deficiency: ? Approximately $6.0 million in expenditures were adjusted from ELC to FEMA, and $2.9 million in expenditures adjusted from FEMA to ELC, including $2.3 million that is identified as ineligible for reimbursement to FEMA?s Disaster Grants program. ? Approximately $7.0 million was adjusted from CRF to FEMA?s Disaster Grants program and another $1.9 million from FEMA?s Disaster Grants program to CRF. Of those, $423,902 were identified as ineligible for reimbursement to FEMA?s Disaster Grants program, including some from the prior fiscal year. Controls were insufficient to ensure that costs were not reimbursed from more than one federal award. The State?s process for recording accounting adjustments via aggregate dollar journal entries limits the effectiveness of controls to prevent duplicate reimbursement from federal funding sources. Reconciliations to adequately identify any potential duplicate reimbursements were incomplete during fiscal 2022 but continued after the close of the fiscal year. Numerous journal entries were subsequently processed in fiscal 2022 to adjust COVID-related activity, for expenditures claimed in fiscal 2021 and fiscal 2020, between federal funding sources (principally CRF, FEMA, and ELC). While we acknowledge that the State has performed significant reconciliation procedures to identify instances where expenditures were charged to multiple federal programs, the manually intensive nature of those procedures does not fully mitigate the risk of the control deficiency. Cause: Due to the rapid response required during the pandemic, the existence of multiple federal funding sources, and continually evolving federal guidance, costs were moved and adjusted in the accounting system to various funding sources, which increased the risk that a cost could be reimbursed from more than one federal award. Effect: Potential duplicate reimbursement of expenditures from more than one federal award. Potential of charging costs for unallowable activities to federal programs as the expenditure detail is not maintained when expenditures are adjusted in the accounting system. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-052 Ensure reconciliations and any required adjustments are complete to demonstrate that eligible COVID program costs were not reimbursed from more than one federal funding source.
FEDERAL FINANCIAL REPORTS AND QUARTERLY PROGRESS REPORTS RIEMA can improve its reporting function. Required federal financial reports for fiscal 2022 were not properly supported by the State?s accounting system. Quarterly progress reports contained comments that did not appear truly representative of the status of the specific projects at the end of the quarter. Criteria: Consistent with Uniform Guidance requirements, the State is required to complete the SF 425, Federal Financial Report, quarterly for the grant. The FFR should be sufficiently supported by the State?s accounting records. Additionally, 44 CFR ?206.204(f) requires that progress reports be submitted by grant recipients quarterly. The reports are to describe ?the status of those projects on which a final payment of the Federal share has not been made to the recipient and outline any problems or circumstances expected to result in noncompliance with the approved grant conditions.? Condition: We were unable to match amounts reported on each of the four quarterly SF-425 reports for fiscal 2022 to amounts included in the RIFANS accounting system. We noted variances between the amounts reported and both transactions in the RIFANS accounting system and obligations reported in FEMA?s grants portal. In certain instances, cash receipts were reported in quarters prior to the authorization in the FEMA grants portal and subsequent drawdown by the State. We separately performed testing of the quarterly progress reports for fiscal 2022. For the quarter ended June 30, 2022, we noted several projects with a status that costs were completed but not paid out to the recipient. Based on review of accounting records, these project costs were either allocated to the applicable State agency or paid to the recipient entity outside of the primary government (i.e., component unit, municipal government, non-profit organization) prior to the end of the quarter. Cause: RIEMA did not have procedures in place to ensure that federal reports were consistent with underlying supporting documentation (i.e., accounting system, agency tracking sheets). Effect: Expenditures reported on the SF-425 for this program were overstated. Quarterly progress reports did not accurately reflect the current status of open projects. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-075a Strengthen procedures for preparing federal financial reports to ensure that information reported is adequately supported and consistent with amounts included in the RIFANS accounting system. 2022-075b Submit revised SF-425 and quarterly progress reports to reflect corrected expenditures and drawdowns for fiscal 2022, as necessary.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS See related Financial Statement Finding 2022-002. Controls over the processing of unemployment insurance claims were ineffective to sufficiently prevent fraudulent unemployment insurance benefit payments. Controls were also ineffective to ensure compliance with the documentation of self-employment income for the Pandemic Unemployment Assistance (PUA) program. Background: Since the start of the pandemic, the Department of Labor and Training (DLT) disbursed more than $2.7 billion in unemployment insurance benefits. In response to the COVID-19 pandemic, the federal Coronavirus Aid, Relief, and Economic Security (CARES) Act expanded and/or extended unemployment insurance benefits, including providing new benefits to self-employed individuals and independent contractors. Fraudulent claims for unemployment insurance benefits also increased rapidly, concurrent with the overall increase in claims due to the pandemic. This unprecedented increase in fraudulent claims was experienced nationwide and was not unique to Rhode Island. Expanded pandemic unemployment benefits continued during fiscal 2022, through September 2021, exceeding $300 million. The system used by DLT to process unemployment insurance (UI) benefits utilizes outdated technology. This legacy system is mainframe based and programmed in COBOL. In response to the pandemic-related surge in unemployment insurance claims, new ?cloud-based? technologies were rapidly deployed to facilitate processing the volume of claims and interactions with claimants; however, the primary claims processing functions were still performed by the legacy system. Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with federal program guidelines including appropriate procedures to prevent and detect fraudulent payments. Collections on overpayments due to error or fraud must be reported and credited to the appropriate federal award that funded the unemployment insurance benefit. The PUA program was created under the CARES Act to provide benefits to self-employed individuals who were previously ineligible for traditional unemployment insurance benefits. A ?covered individual? is someone who meets each of the following three conditions: 1. The individual is not eligible for regular Unemployment Compensation, Extended Benefits, or Pandemic Emergency Unemployment Compensation. This also includes those who have exhausted all rights to such benefits, self-employed, those seeking part-time employment, individuals lacking sufficient work history. Self-employed individuals include independent contractors and ?gig economy workers?. 2. Individuals must self-certify that they are unemployed, partially unemployed, or unable or unavailable to work due to one of the COVID19 related reasons identified in Section 2102(a)(3)(A)(ii)(I) of the CARES Act and in Departmental guidance (UIPL 16-20 and Attachment I, Section C.1. of UIPL 16-20, Change 4). Because this eligibility is based on self-certification, states may only request supporting documentation if they have reasonable suspicions of fraud (question 23 of Attachment I to UIPL No. 16-20, Change 2). 3. Additionally, individuals who are paid on or after December 27, 2020, must submit proof of documentation substantiating employment, self-employment, or the planned commencement of employment or self-employment (see Attachment I, Section C.2. of UIPL No. 16-20, Change 4). This includes individuals requesting retroactive payments that are not received until after December 27, 2020. Condition: DLT?s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT estimated another $10 million in fraudulent claims were paid in fiscal 2022 prior to the end of expanded benefits in September 2021. DLT implemented additional measures since the commencement of the enhanced federal benefits which aided fraud prevention but did not fully eliminate such activities. The decreased rate of fraudulent benefits in fiscal 2022 was a significant improvement over fiscal 2021 and a direct result of fraud prevention procedures implemented by the DLT. The federal government required (effective in December 2020) stricter documentation requirements of income provisions for self-employed individuals; however, most claimants did not provide the required documentation and benefits continued. In a sample of 60 UI and PUA claimants, of which 41 (68%) were UI and 19 (32%) were PUA, our testing found that 19 of 19 (100%) claimants receiving PUA payments after December 27, 2020, provided no evidence of employment status or self-employment income as required by federal regulations. Sampled benefits missing the required documentation totaled $90,669. DLT?s failure to obtain the required documentation for a significant percentage of unemployment benefits awarded under PUA is considered material noncompliance with eligibility requirements for fiscal 2022. In some limited instances, claw back of amounts (approximating $3.7 million) paid to fraudulent beneficiaries were made. About $2 million of this was returned to the Treasury. DLT has lagged in determining the funding source of the remaining amounts ($1.7 million) resulting in a delay in crediting applicable amounts to the appropriate federal award, when applicable. Beyond the above control considerations, DLT?s current mainframe system has reached end-of-life and poses significant business continuity risks to unemployment insurance benefit operations. Cause: The large volume of claims stressed an outdated system and the unprecedented economic impact warranted rapid processing of claims. The rapid implementation of new unemployment benefit programs authorized by the CARES Act did not allow sufficient time to employ wage verification and other procedures. Other procedures to verify client identity, prior wages and overall eligibility were also weakened due to the unprecedented volume of claims and new procedures employed to expedite benefit payments. Lastly, the substantial increase in fraudulent claims activity is largely considered to be the result of sustained and targeted efforts impacting many states. When fraudulent benefits are successfully clawed-back or collected, the funding source for that benefit must be investigated and determined. The investigation and accounting for these amounts has lagged and was still pending at June 30, 2022. Claimant documentation requirements for the PUA program were not enforced during fiscal 2022. Effect: Fraudulent unemployment insurance claims have been paid and DLT?s systems require further enhancements to timely identify fraudulent benefit claims prior to disbursement. DLT remains at a critical juncture in developing a strategy to upgrade and modernize its unemployment insurance claims processing systems while ensuring compliance with federal program requirements including the prevention and detection of fraudulent benefit payments. The federal grantor has not yet been credited for their share of fraud recoveries. Failure to comply with documentation requirements for the PUA program resulted in material noncompliance with federal requirements for the disbursement and claiming of those unemployment benefits. Questioned Costs: $90,669 Valid Statistical Sampling: Yes RECOMMENDATIONS 2022-041a Implement a strategic plan to address the required modernization of the unemployment benefit claims processing system. The modernization should include strengthening controls to prevent fraudulent benefit payments. 2022-041b Research recoveries of overpayments or fraudulent payments and credit the federal government (appropriate federal award) for amounts recovered.
UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY ? BENEFIT OVERPAYMENTS The Department of Labor and Training (DLT) did not make the necessary changes to its system to allow for the imposition of penalties on overpayments due to fraud, and to prohibit relief from charges to an employer?s Unemployment Compensation (UC) account when the overpayment was the result of the employer?s failure to respond timely or adequately to a request for information. Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 percent) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State?s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer?s UC account when overpayments are the result of the employer?s failure to respond timely or adequately to a request for information. Pub. L. No. 112-40, enacted on October 21, 2011, and effective October 21, 2013, amended sections 303(a) and 453A of the Social Security Act and sections 3303, 3304, and 3309 of the Federal Employment Tax Act (FUTA) to improve program integrity and reduce overpayments. (See UIPL Nos. 02-12, and 02-12, Change 1). In compliance with federal law, the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28-42- 62.1(a)(4)) and a prohibition on relieving the employer?s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a request of the department for information relating to the claim (RIGL 28-43-3(2)(viii)). Condition: We had previously found that the State was not properly identifying and handling overpayments, including, as applicable, assessment of the 15% penalty on claimants who commit fraud, and not relieving an employer?s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. Overpayments must be established and communicated to the recipient to initiate collection. Cause: Due to the increased fraudulent activity in UI claims, the department was unable to keep up with the establishment of overpayments due to claimant fraud. DLT management had previously advised us they were programming the existing benefit system to impose penalties for overpayments due to fraud. This programming change was not made in fiscal 2022. Effect: Noncompliance with federal and State laws as well as lost revenue on penalties not assessed. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-042 Adopt procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer?s failure to respond timely or adequately to a request for information by the State agency (RIGL 28-43-3(2)(viii)).
UNEMPLOYMENT INSURANCE PROGRAM REPORTING The Department of Labor and Training (DLT) did not submit all of its required reports on time. In several instances, the person preparing the report also submits the report, meaning there is no secondary review before submission. Criteria: U.S. Department of Labor?s Employment and Training Administration (ETA) administers federal government job training and worker dislocation programs, federal grants to states for public employment service programs, and unemployment insurance benefits. Management is responsible for establishing and maintaining effective internal controls to produce and submit ETA reports in accordance with ETA?s Office requirements. - For ETA 9130, the report is due 45 days after the end of the quarter. - For ETA 2112, the report is due the 1st day of the second month following the month of reference and will be transmitted electronically. - For ETA 9050, 9052, and 9055, the report is due to the ETA National Office on the 20th of the month following the month to which the data relates. This report will be transmitted electronically. - ETA 2208A, the report is due 7 days after the end of the quarter. Condition: DLT?s internal control procedures were not sufficiently effective to ensure that ETA reports were submitted timely and that a secondary review was performed to ensure accuracy. DLT is responsible for submitting ETA reports monthly (ETA reports 2112, 9050, 9052, 9055) and quarterly (ETA reports 9130, 191, and 2208A). We tested a total of 26 submissions of the ETA reports. - 8 of 26 (31%) reports tested were submitted past the due date. - 16 of 26 (62%) reports tested the were not signed by a manager. In the case of four of these ETA reports, the preparer and the reviewer appear to be the same person. Cause: DLT has failed to segregate duties regarding preparation and review/submission of reports. Effect: Noncompliance with reporting deadlines. Errors in reports could go undetected without proper review. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-043 Implement procedures for a secondary review of all reports submitted. Establish deadlines for preparation and review to ensure timely submission.
CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS See related Financial Statement Finding 2022-002. Controls over the processing of unemployment insurance claims were ineffective to sufficiently prevent fraudulent unemployment insurance benefit payments. Controls were also ineffective to ensure compliance with the documentation of self-employment income for the Pandemic Unemployment Assistance (PUA) program. Background: Since the start of the pandemic, the Department of Labor and Training (DLT) disbursed more than $2.7 billion in unemployment insurance benefits. In response to the COVID-19 pandemic, the federal Coronavirus Aid, Relief, and Economic Security (CARES) Act expanded and/or extended unemployment insurance benefits, including providing new benefits to self-employed individuals and independent contractors. Fraudulent claims for unemployment insurance benefits also increased rapidly, concurrent with the overall increase in claims due to the pandemic. This unprecedented increase in fraudulent claims was experienced nationwide and was not unique to Rhode Island. Expanded pandemic unemployment benefits continued during fiscal 2022, through September 2021, exceeding $300 million. The system used by DLT to process unemployment insurance (UI) benefits utilizes outdated technology. This legacy system is mainframe based and programmed in COBOL. In response to the pandemic-related surge in unemployment insurance claims, new ?cloud-based? technologies were rapidly deployed to facilitate processing the volume of claims and interactions with claimants; however, the primary claims processing functions were still performed by the legacy system. Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with federal program guidelines including appropriate procedures to prevent and detect fraudulent payments. Collections on overpayments due to error or fraud must be reported and credited to the appropriate federal award that funded the unemployment insurance benefit. The PUA program was created under the CARES Act to provide benefits to self-employed individuals who were previously ineligible for traditional unemployment insurance benefits. A ?covered individual? is someone who meets each of the following three conditions: 1. The individual is not eligible for regular Unemployment Compensation, Extended Benefits, or Pandemic Emergency Unemployment Compensation. This also includes those who have exhausted all rights to such benefits, self-employed, those seeking part-time employment, individuals lacking sufficient work history. Self-employed individuals include independent contractors and ?gig economy workers?. 2. Individuals must self-certify that they are unemployed, partially unemployed, or unable or unavailable to work due to one of the COVID19 related reasons identified in Section 2102(a)(3)(A)(ii)(I) of the CARES Act and in Departmental guidance (UIPL 16-20 and Attachment I, Section C.1. of UIPL 16-20, Change 4). Because this eligibility is based on self-certification, states may only request supporting documentation if they have reasonable suspicions of fraud (question 23 of Attachment I to UIPL No. 16-20, Change 2). 3. Additionally, individuals who are paid on or after December 27, 2020, must submit proof of documentation substantiating employment, self-employment, or the planned commencement of employment or self-employment (see Attachment I, Section C.2. of UIPL No. 16-20, Change 4). This includes individuals requesting retroactive payments that are not received until after December 27, 2020. Condition: DLT?s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT estimated another $10 million in fraudulent claims were paid in fiscal 2022 prior to the end of expanded benefits in September 2021. DLT implemented additional measures since the commencement of the enhanced federal benefits which aided fraud prevention but did not fully eliminate such activities. The decreased rate of fraudulent benefits in fiscal 2022 was a significant improvement over fiscal 2021 and a direct result of fraud prevention procedures implemented by the DLT. The federal government required (effective in December 2020) stricter documentation requirements of income provisions for self-employed individuals; however, most claimants did not provide the required documentation and benefits continued. In a sample of 60 UI and PUA claimants, of which 41 (68%) were UI and 19 (32%) were PUA, our testing found that 19 of 19 (100%) claimants receiving PUA payments after December 27, 2020, provided no evidence of employment status or self-employment income as required by federal regulations. Sampled benefits missing the required documentation totaled $90,669. DLT?s failure to obtain the required documentation for a significant percentage of unemployment benefits awarded under PUA is considered material noncompliance with eligibility requirements for fiscal 2022. In some limited instances, claw back of amounts (approximating $3.7 million) paid to fraudulent beneficiaries were made. About $2 million of this was returned to the Treasury. DLT has lagged in determining the funding source of the remaining amounts ($1.7 million) resulting in a delay in crediting applicable amounts to the appropriate federal award, when applicable. Beyond the above control considerations, DLT?s current mainframe system has reached end-of-life and poses significant business continuity risks to unemployment insurance benefit operations. Cause: The large volume of claims stressed an outdated system and the unprecedented economic impact warranted rapid processing of claims. The rapid implementation of new unemployment benefit programs authorized by the CARES Act did not allow sufficient time to employ wage verification and other procedures. Other procedures to verify client identity, prior wages and overall eligibility were also weakened due to the unprecedented volume of claims and new procedures employed to expedite benefit payments. Lastly, the substantial increase in fraudulent claims activity is largely considered to be the result of sustained and targeted efforts impacting many states. When fraudulent benefits are successfully clawed-back or collected, the funding source for that benefit must be investigated and determined. The investigation and accounting for these amounts has lagged and was still pending at June 30, 2022. Claimant documentation requirements for the PUA program were not enforced during fiscal 2022. Effect: Fraudulent unemployment insurance claims have been paid and DLT?s systems require further enhancements to timely identify fraudulent benefit claims prior to disbursement. DLT remains at a critical juncture in developing a strategy to upgrade and modernize its unemployment insurance claims processing systems while ensuring compliance with federal program requirements including the prevention and detection of fraudulent benefit payments. The federal grantor has not yet been credited for their share of fraud recoveries. Failure to comply with documentation requirements for the PUA program resulted in material noncompliance with federal requirements for the disbursement and claiming of those unemployment benefits. Questioned Costs: $90,669 Valid Statistical Sampling: Yes RECOMMENDATIONS 2022-041a Implement a strategic plan to address the required modernization of the unemployment benefit claims processing system. The modernization should include strengthening controls to prevent fraudulent benefit payments. 2022-041b Research recoveries of overpayments or fraudulent payments and credit the federal government (appropriate federal award) for amounts recovered.
UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY ? BENEFIT OVERPAYMENTS The Department of Labor and Training (DLT) did not make the necessary changes to its system to allow for the imposition of penalties on overpayments due to fraud, and to prohibit relief from charges to an employer?s Unemployment Compensation (UC) account when the overpayment was the result of the employer?s failure to respond timely or adequately to a request for information. Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 percent) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State?s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer?s UC account when overpayments are the result of the employer?s failure to respond timely or adequately to a request for information. Pub. L. No. 112-40, enacted on October 21, 2011, and effective October 21, 2013, amended sections 303(a) and 453A of the Social Security Act and sections 3303, 3304, and 3309 of the Federal Employment Tax Act (FUTA) to improve program integrity and reduce overpayments. (See UIPL Nos. 02-12, and 02-12, Change 1). In compliance with federal law, the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28-42- 62.1(a)(4)) and a prohibition on relieving the employer?s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a request of the department for information relating to the claim (RIGL 28-43-3(2)(viii)). Condition: We had previously found that the State was not properly identifying and handling overpayments, including, as applicable, assessment of the 15% penalty on claimants who commit fraud, and not relieving an employer?s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. Overpayments must be established and communicated to the recipient to initiate collection. Cause: Due to the increased fraudulent activity in UI claims, the department was unable to keep up with the establishment of overpayments due to claimant fraud. DLT management had previously advised us they were programming the existing benefit system to impose penalties for overpayments due to fraud. This programming change was not made in fiscal 2022. Effect: Noncompliance with federal and State laws as well as lost revenue on penalties not assessed. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-042 Adopt procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer?s failure to respond timely or adequately to a request for information by the State agency (RIGL 28-43-3(2)(viii)).
UNEMPLOYMENT INSURANCE PROGRAM REPORTING The Department of Labor and Training (DLT) did not submit all of its required reports on time. In several instances, the person preparing the report also submits the report, meaning there is no secondary review before submission. Criteria: U.S. Department of Labor?s Employment and Training Administration (ETA) administers federal government job training and worker dislocation programs, federal grants to states for public employment service programs, and unemployment insurance benefits. Management is responsible for establishing and maintaining effective internal controls to produce and submit ETA reports in accordance with ETA?s Office requirements. - For ETA 9130, the report is due 45 days after the end of the quarter. - For ETA 2112, the report is due the 1st day of the second month following the month of reference and will be transmitted electronically. - For ETA 9050, 9052, and 9055, the report is due to the ETA National Office on the 20th of the month following the month to which the data relates. This report will be transmitted electronically. - ETA 2208A, the report is due 7 days after the end of the quarter. Condition: DLT?s internal control procedures were not sufficiently effective to ensure that ETA reports were submitted timely and that a secondary review was performed to ensure accuracy. DLT is responsible for submitting ETA reports monthly (ETA reports 2112, 9050, 9052, 9055) and quarterly (ETA reports 9130, 191, and 2208A). We tested a total of 26 submissions of the ETA reports. - 8 of 26 (31%) reports tested were submitted past the due date. - 16 of 26 (62%) reports tested the were not signed by a manager. In the case of four of these ETA reports, the preparer and the reviewer appear to be the same person. Cause: DLT has failed to segregate duties regarding preparation and review/submission of reports. Effect: Noncompliance with reporting deadlines. Errors in reports could go undetected without proper review. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-043 Implement procedures for a secondary review of all reports submitted. Establish deadlines for preparation and review to ensure timely submission.
RHODE ISLAND PUBLIC TRANSIT AUTHORITY ? ALLOWABLE COSTS ? CARES ACT Criteria: The grant awards include CARES Act emergency relief operating assistance, which is available for all operating activities (net of fare revenues and other operating reimbursements) incurred on or after January 20, 2020 for fixed route, demand response, ADA paratransit and shuttle services. The operating expense reimbursement should be determined and documented in accordance with Uniform Guidance (2 CFR 200) Subpart E ? Cost Principles and FTA Circular 9030.1E including the requirement that costs be accounted for in accordance with generally accepted accounting principles and be adequately documented. Condition: During our test of internal controls, we noted that costs related to three operating expense reimbursements were determined for a period using fixed route statistics which included average costs per mile and hour, less preventative maintenance and farebox recovery. We also noted that documentation for three operating expense reimbursements for a period included only the payroll reports for fixed route drivers plus benefits, calculated using a fringe benefit percentage rate, and there was no documentation that fare revenues and other operating reimbursements had been deducted from the operating expense reimbursement. Cause: The Rhode Island Public Transit Authority did not account for CARES Act operating expense reimbursements in accordance with generally accepted accounting principles and did not adequately document CARES Act operating expense reimbursements. Effect: The Rhode Island Public Transit Authority has not accounted for and documented CARES Act operating expense reimbursement in accordance with Uniform Guidance (2 CFR 200) Subpart E ? Cost Principles and FTA Circular 9030.1E. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-044 We recommend that CARES Act operating expense reimbursements be prepared utilizing the Authority?s general ledger which is prepared in accordance with generally accepted accounting principles and documented using a worksheet prepared in accordance with FTA Circular 9030.1E, that excludes ineligible costs and deducts fares and other operating expense reimbursements.
RHODE ISLAND PUBLIC TRANSIT AUTHORITY ? ALLOWABLE COSTS Criteria: The Authority is responsible for establishing and maintaining effective internal controls over compliance with requirements of laws, regulations, contracts and grant agreements applicable to federal award programs. In addition, cost principles require that charges to federal award programs be supported by appropriate documentation including applying the proper reimbursement percentage based on the contract. Condition: We noted that costs related to two operating expense reimbursements were processed using the incorrect reimbursement rate based on the grant agreement. Cause: The Rhode Island Public Transit Authority applied the incorrect reimbursement rate on two invoices within our sample. Effect: The Rhode Island Public Transit Authority has not properly applied the reimbursement rate noted in the grant agreement. Questioned Costs: $213,099 Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-045 We recommend that the Authority develop a control to ensure that the proper reimbursement rates are being applied in relation to the specific grants that funding is being requested from.
RHODE ISLAND PUBLIC TRANSIT AUTHORITY ? ALLOWABLE COSTS ? CARES ACT Criteria: The grant awards include CARES Act emergency relief operating assistance, which is available for all operating activities (net of fare revenues and other operating reimbursements) incurred on or after January 20, 2020 for fixed route, demand response, ADA paratransit and shuttle services. The operating expense reimbursement should be determined and documented in accordance with Uniform Guidance (2 CFR 200) Subpart E ? Cost Principles and FTA Circular 9030.1E including the requirement that costs be accounted for in accordance with generally accepted accounting principles and be adequately documented. Condition: During our test of internal controls, we noted that costs related to three operating expense reimbursements were determined for a period using fixed route statistics which included average costs per mile and hour, less preventative maintenance and farebox recovery. We also noted that documentation for three operating expense reimbursements for a period included only the payroll reports for fixed route drivers plus benefits, calculated using a fringe benefit percentage rate, and there was no documentation that fare revenues and other operating reimbursements had been deducted from the operating expense reimbursement. Cause: The Rhode Island Public Transit Authority did not account for CARES Act operating expense reimbursements in accordance with generally accepted accounting principles and did not adequately document CARES Act operating expense reimbursements. Effect: The Rhode Island Public Transit Authority has not accounted for and documented CARES Act operating expense reimbursement in accordance with Uniform Guidance (2 CFR 200) Subpart E ? Cost Principles and FTA Circular 9030.1E. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-044 We recommend that CARES Act operating expense reimbursements be prepared utilizing the Authority?s general ledger which is prepared in accordance with generally accepted accounting principles and documented using a worksheet prepared in accordance with FTA Circular 9030.1E, that excludes ineligible costs and deducts fares and other operating expense reimbursements.
RHODE ISLAND PUBLIC TRANSIT AUTHORITY ? ALLOWABLE COSTS Criteria: The Authority is responsible for establishing and maintaining effective internal controls over compliance with requirements of laws, regulations, contracts and grant agreements applicable to federal award programs. In addition, cost principles require that charges to federal award programs be supported by appropriate documentation including applying the proper reimbursement percentage based on the contract. Condition: We noted that costs related to two operating expense reimbursements were processed using the incorrect reimbursement rate based on the grant agreement. Cause: The Rhode Island Public Transit Authority applied the incorrect reimbursement rate on two invoices within our sample. Effect: The Rhode Island Public Transit Authority has not properly applied the reimbursement rate noted in the grant agreement. Questioned Costs: $213,099 Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-045 We recommend that the Authority develop a control to ensure that the proper reimbursement rates are being applied in relation to the specific grants that funding is being requested from.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
LEVEL OF EFFORT ? MAINTENANCE OF EFFORT (MOE) RIDOT does not have documentation supporting compliance with the Level of Effort ? Maintenance of Effort (MOE) requirement. The Department needs to establish an internal control structure to ensure compliance. Criteria: The State and Community Highway Safety program (Assistance Listing 20.600) and the National Priority Safety program (Assistance Listing 20.616), as authorized by the FAST Act, require that a state must maintain its aggregate expenditures from all other sources at or above the average level of such expenditures in fiscal years 2014 and 2015 for activities for Occupant Protection, State Traffic Safety Information System Improvements, and Impaired Driving Countermeasures (23 USC 405(a)(1)(H); 23 CFR sections 1200.21(d)(5), 1200.22(f), and 1200.23(d)(2), 1300.21(d)(5), 1300.22(c), and 1300.23(d)(2)). Condition: The Department was unable to provide documentation supporting the amounts identified as nonfederal expenditures for the base years of 2014 and 2015. The Department has identified a large pool of funds, State Police Highway Patrol salaries, to support compliance with the MOE requirements, however, there is no documentation supporting how or which salaries are being used to meet the specific requirements. Cause: RIDOT did not have adequate policies and procedures in place to document compliance with MOE. Effect: Potential noncompliance with federal rules and regulations regarding Maintenance of Effort. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-046 Establish policies and procedures to document compliance with Maintenance of Effort. Maintain adequate detailed supporting documentation to support compliance with related Level of Effort requirements.
EARMARKING Controls over earmarking can be enhanced to ensure compliance with Federal requirements. Criteria: At least 40 percent of federal funds apportioned to a state under State and Community Highway Safety (20.600) for any fiscal year shall be expended by or for the political subdivisions of the state in carrying out local highway safety programs (23 USC 402(b)(1)(C); 23 CFR Part 1200, Appendix E and 1300 Appendix C). Condition: State and Community Highway Safety funds passed through to political subdivisions (i.e., cities and towns) only accounted for 21% of the federal funds apportioned to the State. Cause: The Department contends that the 40% requirement should be based on amounts expended by all subrecipients which includes organizations that do not meet the definition of political subdivision, for example non-profit organizations. Effect: Noncompliance with federal rules and regulations regarding earmarking. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-047 Establish policies and procedures to ensure compliance with the earmarking requirement that no less than 40% of highway safety federal program funds are expended by or for political subdivisions of the State.
PERIOD OF PERFORMANCE Controls over period of performance can be enhanced to ensure compliance with Federal requirements. Criteria: The Highway Safety Cluster period of performance requirements are spelled out in 23 CFR 1300.41 as follows: ? Paragraph (b)(1) ?except as provided in paragraph (b)(2) of this section, unexpended grant funds shall not be available for expenditure beyond the period of three years after the last day of the fiscal year of apportionment or allocation.? ? Paragraph (b)(2) ?States may commit such unexpended grant funds to a specific project by the specified deadline, and shall provide documentary evidence of that commitment, including a copy of an executed project agreement, to the Regional Administrator.? ? Paragraph (b)(3) ?Grant funds committed to a specific project in accordance with paragraph (b)(2) of this section shall remain committed to that project and must be expended by the end of the succeeding fiscal year. The final voucher for that project shall be submitted within 120 days after the end of that fiscal year.? Condition: RIDOT was unable to provide documentation supporting its compliance with period of performance requirements. Federal awards lost their apportionment or allocation year identified within the Department when carried forward. We performed an analysis (in conjunction with reviewing the Obligation Limitation Report to ensure expired appropriations were not carried forward) that concluded the State materially complied with the period of performance requirement paragraph (b)(1) cited above, however, the lack of documentation prevented an assessment of the applicability of other period of performance compliance requirements (paragraphs (b)(2) and (3)). Cause: The Department does not have policies and procedures to ensure compliance with period of performance. Expenditures are not tracked by federal fiscal award year. Effect: Increased risk of noncompliance. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-048 Develop policies and procedures to document compliance with period of performance requirements.
REPORTING OF PROGRAM EXPENDITURES The Department was unable to provide documentation supporting the amounts reported in the Highway Safety Plan Cost Summary and Federal Reimbursement Voucher reports. The Department?s current program accounting also results in program expenditures being duplicated in the State?s accounting system and Schedule of Expenditures of Federal Awards (SEFA). Criteria: HS Form 217 ? 23 CFR section 1200.11(e) states ?HS Form 217, meeting the requirements of Appendix B, be completed to reflect the State's proposed allocations of funds (including carry-forward funds) by program area. The funding level used shall be an estimate of available funding for the upcoming fiscal year based on amounts authorized for the fiscal year and projected carry-forward funds. Additionally, for each program area, an accompanying list of projects that the State proposes to conduct for that fiscal year and an estimated amount of Federal funds for each such project.? Federal Reimbursement Voucher ? 23 CFR 1200.33 states ?Each State shall submit official vouchers for expenses incurred to the Approving Official. At a minimum, each voucher shall provide the following information for expenses claimed in each program area: (1) Program Area for which expenses were incurred and an itemization of project numbers and amount of Federal funds expended for each project for which reimbursement is being sought; (2) Federal funds obligated; (3) Amount of Federal funds allocated to local benefit (provided no less than mid-year (by March 31) and with the final voucher); (4) Cumulative Total Cost to Date; (5) Cumulative Federal Funds Expended; (6) Previous Amount Claimed; (7) Amount Claimed this Period; (8) Matching rate (or special matching writeoff used, i.e., sliding scale rate authorized under 23 U.S.C. 120).? 2 CFR 200.510(b) Schedule of expenditures of Federal awards. ?The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee's financial statements which must include the total Federal awards expended as determined in accordance with ? 200.502.? Condition: HS Form 217 ? RIDOT was unable to provide documentation supporting information included in the Highway Safety Plan Cost Summary report for 18 of the 25 projects tested, as follows (it should be noted that 3 projects are included in more than one error category): ? 8 projects included on the report were not included in the Highway Safety Plan; ? 6 projects? budget amounts included in the Highway Safety Plan Cost Summary report did not agree to supporting documentation; ? 7 projects State and/or Local share amounts did not agree to supporting documentation. Federal Reimbursement Voucher ? RIDOT was unable to provide documentation supporting amounts reported for; a.) HCS (Highway Cost Summary) Federal Funds Obligated, b.) Share to Local Benefit, and c.) State/Federal Cost to Date on the Federal Reimbursement Voucher for all 25 projects tested. Highway safety grants are expended by multiple departments within the State, namely the Attorney General?s Office, Department of Public Safety, Department of Health and RIDOT. Those departments record expenditures to federal accounts linked to HSC within the State?s accounting system (RIFANS) and then provide backup documentation to RIDOT for reimbursement. RIDOT then records those same expenditures within its Financial Management System (FMS) and RIFANS, as subrecipient payments, causing the expenditures to be duplicated in the State?s accounting system and Schedule of Expenditures of Federal Awards (SEFA) in an amount approximating $581,665. HSC expenditures were not duplicated on federal reports because RIDOT uses its FMS to report and claim HSC expenditures. Cause: RIDOT?s policies and procedures are not adequate to ensure the accurate completion of the Highway Safety Plan Cost Summary report. RIDOT?s use of multiple accounting systems to meet operational and financial reporting objectives results in unnecessary complexity and control weaknesses. Effect: Information provided to the National Highway Traffic Safety Administration may not be accurate. Inaccurate reporting of program expenditures in the State?s SEFA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-049a Enhance reporting policies and procedures over the completion and submission of the Highway Safety Plan Cost Summary (HS Form 217). Verify the amounts submitted are accurate and if necessary, resubmit with accurate and supported amounts. 2022-049b Enhance reporting policies and procedures over the completion and submission of the Federal Reimbursement Voucher report. 2022-049c Enhance controls and address current deficiencies in accounting procedures to ensure program expenditure within the State?s reporting entity are reported accurately on the SEFA.
SUBRECIPIENT MONITORING The Department?s internal control structure does not ensure all subrecipients are monitored in accordance with federal requirements. Criteria: All pass-through entities must monitor subrecipients to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved (2 CFR 200.332(d) through (f)). A pass-through entity (PTE) is responsible for: During-the-Award Monitoring ? Monitoring the activities of the subrecipient (through reporting, site visits, regular contact or other means) as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f)). Subaward monitoring must include the following: 1. Reviewing financial and programmatic (performance and special) reports required by the PTE. 2. Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the PTE detected through audits, on-site reviews, and other means. 3. Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the PTE as required by 2 CFR section 200.521. The PTE must verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 2 CFR section 200.501 (2 CFR section 200.332(f)). Federal award recipients must determine whether each agreement entered into for the disbursement of federal program funds casts the entity receiving the funds in the role of a subrecipient or a contractor based on the following definitions (2 CFR 200.331): ? A subrecipient receives federal funds from a non-federal entity to carry out part of a federal program. The legal agreement between the two parties creates a federal assistance relationship commonly known as a sub-award. ? A contractor is an entity (dealer, distributor, merchant or other seller) who has a legal agreement with a non-federal entity to provide goods and services needed to carry out the program under the federal award. Condition: RIDOT passes federal awards through to many organization types, including municipalities, non-profits, and colleges/universities. The Department did not have documentation supporting the monitoring of three subrecipients, two of which are non-profits and one of which is a university. The Department did not review the audit reports for six subrecipients or have any documentation supporting its determination as to whether the subrecipients were required to have an audit as required by 2 CFR 200 subpart F. RIDOT identified three vendors providing goods or services to the department as subrecipients. Cause: Policies, procedures and established controls do not encompass all federal requirements. Effect: Monitoring controls and procedures may be insufficient to ensure that subrecipients are complying with applicable program regulations and requirements. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-050 Enhance policies, procedures, and controls over subrecipient monitoring to ensure compliance with 2 CFR sections 200.332(d) through (f).
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
LEVEL OF EFFORT ? MAINTENANCE OF EFFORT (MOE) RIDOT does not have documentation supporting compliance with the Level of Effort ? Maintenance of Effort (MOE) requirement. The Department needs to establish an internal control structure to ensure compliance. Criteria: The State and Community Highway Safety program (Assistance Listing 20.600) and the National Priority Safety program (Assistance Listing 20.616), as authorized by the FAST Act, require that a state must maintain its aggregate expenditures from all other sources at or above the average level of such expenditures in fiscal years 2014 and 2015 for activities for Occupant Protection, State Traffic Safety Information System Improvements, and Impaired Driving Countermeasures (23 USC 405(a)(1)(H); 23 CFR sections 1200.21(d)(5), 1200.22(f), and 1200.23(d)(2), 1300.21(d)(5), 1300.22(c), and 1300.23(d)(2)). Condition: The Department was unable to provide documentation supporting the amounts identified as nonfederal expenditures for the base years of 2014 and 2015. The Department has identified a large pool of funds, State Police Highway Patrol salaries, to support compliance with the MOE requirements, however, there is no documentation supporting how or which salaries are being used to meet the specific requirements. Cause: RIDOT did not have adequate policies and procedures in place to document compliance with MOE. Effect: Potential noncompliance with federal rules and regulations regarding Maintenance of Effort. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-046 Establish policies and procedures to document compliance with Maintenance of Effort. Maintain adequate detailed supporting documentation to support compliance with related Level of Effort requirements.
PERIOD OF PERFORMANCE Controls over period of performance can be enhanced to ensure compliance with Federal requirements. Criteria: The Highway Safety Cluster period of performance requirements are spelled out in 23 CFR 1300.41 as follows: ? Paragraph (b)(1) ?except as provided in paragraph (b)(2) of this section, unexpended grant funds shall not be available for expenditure beyond the period of three years after the last day of the fiscal year of apportionment or allocation.? ? Paragraph (b)(2) ?States may commit such unexpended grant funds to a specific project by the specified deadline, and shall provide documentary evidence of that commitment, including a copy of an executed project agreement, to the Regional Administrator.? ? Paragraph (b)(3) ?Grant funds committed to a specific project in accordance with paragraph (b)(2) of this section shall remain committed to that project and must be expended by the end of the succeeding fiscal year. The final voucher for that project shall be submitted within 120 days after the end of that fiscal year.? Condition: RIDOT was unable to provide documentation supporting its compliance with period of performance requirements. Federal awards lost their apportionment or allocation year identified within the Department when carried forward. We performed an analysis (in conjunction with reviewing the Obligation Limitation Report to ensure expired appropriations were not carried forward) that concluded the State materially complied with the period of performance requirement paragraph (b)(1) cited above, however, the lack of documentation prevented an assessment of the applicability of other period of performance compliance requirements (paragraphs (b)(2) and (3)). Cause: The Department does not have policies and procedures to ensure compliance with period of performance. Expenditures are not tracked by federal fiscal award year. Effect: Increased risk of noncompliance. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-048 Develop policies and procedures to document compliance with period of performance requirements.
REPORTING OF PROGRAM EXPENDITURES The Department was unable to provide documentation supporting the amounts reported in the Highway Safety Plan Cost Summary and Federal Reimbursement Voucher reports. The Department?s current program accounting also results in program expenditures being duplicated in the State?s accounting system and Schedule of Expenditures of Federal Awards (SEFA). Criteria: HS Form 217 ? 23 CFR section 1200.11(e) states ?HS Form 217, meeting the requirements of Appendix B, be completed to reflect the State's proposed allocations of funds (including carry-forward funds) by program area. The funding level used shall be an estimate of available funding for the upcoming fiscal year based on amounts authorized for the fiscal year and projected carry-forward funds. Additionally, for each program area, an accompanying list of projects that the State proposes to conduct for that fiscal year and an estimated amount of Federal funds for each such project.? Federal Reimbursement Voucher ? 23 CFR 1200.33 states ?Each State shall submit official vouchers for expenses incurred to the Approving Official. At a minimum, each voucher shall provide the following information for expenses claimed in each program area: (1) Program Area for which expenses were incurred and an itemization of project numbers and amount of Federal funds expended for each project for which reimbursement is being sought; (2) Federal funds obligated; (3) Amount of Federal funds allocated to local benefit (provided no less than mid-year (by March 31) and with the final voucher); (4) Cumulative Total Cost to Date; (5) Cumulative Federal Funds Expended; (6) Previous Amount Claimed; (7) Amount Claimed this Period; (8) Matching rate (or special matching writeoff used, i.e., sliding scale rate authorized under 23 U.S.C. 120).? 2 CFR 200.510(b) Schedule of expenditures of Federal awards. ?The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee's financial statements which must include the total Federal awards expended as determined in accordance with ? 200.502.? Condition: HS Form 217 ? RIDOT was unable to provide documentation supporting information included in the Highway Safety Plan Cost Summary report for 18 of the 25 projects tested, as follows (it should be noted that 3 projects are included in more than one error category): ? 8 projects included on the report were not included in the Highway Safety Plan; ? 6 projects? budget amounts included in the Highway Safety Plan Cost Summary report did not agree to supporting documentation; ? 7 projects State and/or Local share amounts did not agree to supporting documentation. Federal Reimbursement Voucher ? RIDOT was unable to provide documentation supporting amounts reported for; a.) HCS (Highway Cost Summary) Federal Funds Obligated, b.) Share to Local Benefit, and c.) State/Federal Cost to Date on the Federal Reimbursement Voucher for all 25 projects tested. Highway safety grants are expended by multiple departments within the State, namely the Attorney General?s Office, Department of Public Safety, Department of Health and RIDOT. Those departments record expenditures to federal accounts linked to HSC within the State?s accounting system (RIFANS) and then provide backup documentation to RIDOT for reimbursement. RIDOT then records those same expenditures within its Financial Management System (FMS) and RIFANS, as subrecipient payments, causing the expenditures to be duplicated in the State?s accounting system and Schedule of Expenditures of Federal Awards (SEFA) in an amount approximating $581,665. HSC expenditures were not duplicated on federal reports because RIDOT uses its FMS to report and claim HSC expenditures. Cause: RIDOT?s policies and procedures are not adequate to ensure the accurate completion of the Highway Safety Plan Cost Summary report. RIDOT?s use of multiple accounting systems to meet operational and financial reporting objectives results in unnecessary complexity and control weaknesses. Effect: Information provided to the National Highway Traffic Safety Administration may not be accurate. Inaccurate reporting of program expenditures in the State?s SEFA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-049a Enhance reporting policies and procedures over the completion and submission of the Highway Safety Plan Cost Summary (HS Form 217). Verify the amounts submitted are accurate and if necessary, resubmit with accurate and supported amounts. 2022-049b Enhance reporting policies and procedures over the completion and submission of the Federal Reimbursement Voucher report. 2022-049c Enhance controls and address current deficiencies in accounting procedures to ensure program expenditure within the State?s reporting entity are reported accurately on the SEFA.
SUBRECIPIENT MONITORING The Department?s internal control structure does not ensure all subrecipients are monitored in accordance with federal requirements. Criteria: All pass-through entities must monitor subrecipients to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved (2 CFR 200.332(d) through (f)). A pass-through entity (PTE) is responsible for: During-the-Award Monitoring ? Monitoring the activities of the subrecipient (through reporting, site visits, regular contact or other means) as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f)). Subaward monitoring must include the following: 1. Reviewing financial and programmatic (performance and special) reports required by the PTE. 2. Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the PTE detected through audits, on-site reviews, and other means. 3. Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the PTE as required by 2 CFR section 200.521. The PTE must verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient's federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 2 CFR section 200.501 (2 CFR section 200.332(f)). Federal award recipients must determine whether each agreement entered into for the disbursement of federal program funds casts the entity receiving the funds in the role of a subrecipient or a contractor based on the following definitions (2 CFR 200.331): ? A subrecipient receives federal funds from a non-federal entity to carry out part of a federal program. The legal agreement between the two parties creates a federal assistance relationship commonly known as a sub-award. ? A contractor is an entity (dealer, distributor, merchant or other seller) who has a legal agreement with a non-federal entity to provide goods and services needed to carry out the program under the federal award. Condition: RIDOT passes federal awards through to many organization types, including municipalities, non-profits, and colleges/universities. The Department did not have documentation supporting the monitoring of three subrecipients, two of which are non-profits and one of which is a university. The Department did not review the audit reports for six subrecipients or have any documentation supporting its determination as to whether the subrecipients were required to have an audit as required by 2 CFR 200 subpart F. RIDOT identified three vendors providing goods or services to the department as subrecipients. Cause: Policies, procedures and established controls do not encompass all federal requirements. Effect: Monitoring controls and procedures may be insufficient to ensure that subrecipients are complying with applicable program regulations and requirements. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2022-050 Enhance policies, procedures, and controls over subrecipient monitoring to ensure compliance with 2 CFR sections 200.332(d) through (f).
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
CONTROLS OVER ALLOWABILITY OF EXPENDITURES TO THE CORONAVIRUS RELIEF FUND Monitoring of certain project expenditures was not sufficient to ensure that awarded CRF funding complied with the State?s project approval. Background: The State created the Pandemic Recovery Office (PRO) to oversee the distribution of Coronavirus Relief Funds and provide guidance to State agencies and departments regarding allowable uses of the CRF funding. The PRO implemented a centralized review and pre-approval process for projects and activities funded by the CRF and other CARES Act funding. This process had three primary phases: (1) review of the initial project design; (2) determination of compliance as an allowable activity as per the federal guidance issued; and (3) governance. Personnel within the Department of Administration?s Grants Management Office, PRO, Office of Internal Audit and the Office of Management and Budget were utilized for the various phases. Most CRF funding to external entities and providers included subsequent reporting procedures or other monitoring to ensure that funds were ultimately spent for the approved purposes. Criteria: Management is responsible for designing and maintaining internal controls over compliance with federal requirements for allowable costs. Controls should be sufficient to ensure that all uses of federal funding meet the applicable allowability criteria. Condition: Our review and inquiry of certain fiscal 2022 CRF expenditures found that subsequent monitoring procedures by the State were not performed to ensure that awarded CRF funding complied with the State?s project approval. Specifically, for certain CRF awards, the State did not provide any post award reporting by the recipient entity or subsequent monitoring to ensure that the approved funding was expended in accordance with the project authorization. Cause: Lack of sufficient post award reporting requirements or monitoring procedures to document allowability of CRF expenditures in accordance with project authorization. Effect: CRF funding could have been expended for unallowable costs. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-051 Ensure that future pandemic recovery project authorizations have subsequent reporting or other monitoring requirements to fully support the post award allowability of the funding awarded.
CONTROLS OVER PANDEMIC-RELATED EXPENDITURES ALLOCABLE TO MULTIPLE FEDERAL AWARDS The State had insufficient controls to ensure expenditures were not reimbursed from more than one award under federal programs with similar pandemic response related objectives. Background: The State received an unprecedented amount of federal assistance to respond to the effects of the global pandemic including $1.25 billion for the Coronavirus Relief Fund (CRF) pursuant to the CARES Act. Assistance was also received under the FEMA Stafford Act Disaster Grants program and the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program. Certain costs were reimbursable under any of these programs and federal guidance was continually evolving which resulted in changing direction as to which costs were to be applied to a specific federal award. As guidelines and circumstances changed expenditures were often applied to one funding source and then subsequently adjusted to another funding source. Adjustments of program expenditures between federal programs often overlapped fiscal years due to the length of the pandemic. Criteria: Expenditures may only be reimbursed from one federal award. Condition: Due to changing federal guidelines and the evolving State response to the pandemic, costs were often charged to one funding source and then later moved to another funding source. When expenditures are reclassified or reallocated within the RIFANS accounting system, journal entries are used to move the aggregate dollar activity; however, the original transaction (expenditure/disbursement) remains in the account originally charged offset by a credit. This process complicates the identification of the underlying expenditures reimbursed by the federal award and increases the risk that expenditures could be reimbursed from more than one federal award. During fiscal 2022, we noted the following adjustments to financial activity supporting the cited control deficiency: ? Approximately $6.0 million in expenditures were adjusted from ELC to FEMA, and $2.9 million in expenditures adjusted from FEMA to ELC, including $2.3 million that is identified as ineligible for reimbursement to FEMA?s Disaster Grants program. ? Approximately $7.0 million was adjusted from CRF to FEMA?s Disaster Grants program and another $1.9 million from FEMA?s Disaster Grants program to CRF. Of those, $423,902 were identified as ineligible for reimbursement to FEMA?s Disaster Grants program, including some from the prior fiscal year. Controls were insufficient to ensure that costs were not reimbursed from more than one federal award. The State?s process for recording accounting adjustments via aggregate dollar journal entries limits the effectiveness of controls to prevent duplicate reimbursement from federal funding sources. Reconciliations to adequately identify any potential duplicate reimbursements were incomplete during fiscal 2022 but continued after the close of the fiscal year. Numerous journal entries were subsequently processed in fiscal 2022 to adjust COVID-related activity, for expenditures claimed in fiscal 2021 and fiscal 2020, between federal funding sources (principally CRF, FEMA, and ELC). While we acknowledge that the State has performed significant reconciliation procedures to identify instances where expenditures were charged to multiple federal programs, the manually intensive nature of those procedures does not fully mitigate the risk of the control deficiency. Cause: Due to the rapid response required during the pandemic, the existence of multiple federal funding sources, and continually evolving federal guidance, costs were moved and adjusted in the accounting system to various funding sources, which increased the risk that a cost could be reimbursed from more than one federal award. Effect: Potential duplicate reimbursement of expenditures from more than one federal award. Potential of charging costs for unallowable activities to federal programs as the expenditure detail is not maintained when expenditures are adjusted in the accounting system. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-052 Ensure reconciliations and any required adjustments are complete to demonstrate that eligible COVID program costs were not reimbursed from more than one federal funding source.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
LACK OF ADEQUATE DOCUMENTATION TO SUPPORT THE PROPORTION OF COSTS ALLOCATED TO THE PROGRAM Costs associated with financial and reporting support services were not adequately documented to support the allocation to the program. Criteria: Allowable cost principles prescribed by the Uniform Guidance requires costs charged to federal awards to be adequately documented. Documentation associated with federal grants should be sufficient to support the allocation of costs to the program. If costs are allocated to two or more activities, they must be allocated to those activities based on the proportional benefit, or allocated on a reasonable basis if the underlying benefit is to multiple programs. Condition: Costs allocated to the program for consultant fees were not sufficiently documented to support the amount apportioned to the State Fiscal Recovery Fund (SFRF) program. The Pandemic Recovery Office employed the use of a consultant to provide additional financial and reporting support services in the administration of federal programs receiving COVID-related funding in fiscal 2022. These services were administered under a contract between the State and vendor that outlined general responsibilities related to various federal programs, including the SFRF, for a flat monthly fee. Vendor invoices billing the State monthly in accordance with the contract fee were subsequently allocated to various accounts, including the SFRF. However, neither the contract and its addendums nor the vendor invoices were sufficiently detailed to support the proportionate allocation to the program. Cause: The contract with the consultant did not include a requirement to document support services provided (and invoiced) to the State at the federal program level to properly support the direct allocation to the underlying federal programs. Effect: Expenditures allocated to the program for the financial and reporting services were not fully supported in accordance with federal allowable cost principles under the Uniform Guidance. Questioned Costs: Undetermined Valid Statistical Sampling: Yes RECOMMENDATION 2022-053 Enhance procedures for documenting administrative costs (specifically contractor support services) allocated to federal programs to ensure compliance with Uniform Guidance.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
LEVEL OF EFFORT ? SUPPLEMENT NOT SUPPLANT RIDE did not ensure the Local Education Agencies (LEAs) have the required written methodology to allocate state and local funds to each Title I school and to ensure that the school receives all of the state and local funds it would otherwise receive if it were not receiving Part A funds. Criteria: The State Education Agency (SEA) must review the LEA compliance with the Title I Part A supplement not supplant provision (e.g., through subrecipient monitoring). Part A supplement not supplant provision states the ?LEA must demonstrate that it has a methodology (e.g., through written procedures) and uses it to allocate state and local funds to each Title I school and ensures that the school receives all of the state and local funds it would otherwise receive if it were not receiving Part A funds (i.e., the LEA?s methodology may not take into account a school?s Title I status) (Section 1118(b)(2) (20 USC 6321(b)(2))). An LEA may use a combination of methodologies to allocate state and local funds to schools (e.g., use a different methodology for high schools than it uses for elementary schools). An LEA also may design its methodology to take into consideration grade span or school type, student enrollment size, or schools in need of additional funds to serve high concentrations of children with disabilities, English learners, or other such groups of students the LEA determines require additional support. RIDE can review the LEA compliance with the part A supplement not supplant provision through sub-recipient monitoring.? 2 CFR 200.332 states ?Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward.? Condition: RIDE?s risk assessment identified that 22 of the 36 applicable LEAs did not have a written methodology to allocate state and local funds to each Title I school and to ensure that the school receives all of the state and local funds it would otherwise receive if it were not receiving Part A funds. The Department did not perform any follow-up to ensure the LEAs took timely and appropriate action to correct the identified deficiency. Cause: RIDE informed us that on-site subrecipient monitoring did not occur due to COVID-19 and lack of available resources. The majority of subrecipient monitoring took place virtually. Although RIDE monitored the subrecipients, they did not obtain corrective action from the LEAs regarding the lack of supplement not supplant policies and procedures. Effect: Noncompliance with federal rules and regulations. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-054 Enhance internal controls over LEA supplement not supplant requirements by obtaining corrective actions from LEA subrecipients that are not complying with federal requirements for formalized methodologies.
SPECIAL TESTS AND PROVISIONS ? OVERSIGHT AND MONITORING RESPONSIBILITIES WITH RESPECT TO CHARTER SCHOOLS WITH RELATIONSHIPS WITH CHARTER MANAGEMENT ORGANIZATIONS RIDE does not have any specific procedures to assess the risk posed by conflicts of interest, related party transactions or insufficient segregation of duties between the Charter School and Charter Management Organization (CMO). Criteria: As grantees, SEAs/LEAs are responsible for overseeing and monitoring subrecipients, including charter schools with relationships with Charter Management Organizations (CMOs). The SEA/LEA must: (1) evaluate each subrecipient?s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining appropriate subrecipient monitoring (2 CFR section 200.332(b)); and (2) monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved (2 CFR section 200.332(d)). Charter schools with relationships with CMOs that receive federal grant funds must comply with statutes authorizing the applicable grant program, regulations, the terms and conditions of their grant awards, and relevant department-issued guidance. Additionally, under Title 2 of the Code of Federal Regulations Part 200 ? Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Grant Guidance), nonfederal entities that receive federal grants: (1) must establish and maintain effective internal controls over those funds and (2) should have internal controls that comply with the US Government Accountability Office (GAO) ?Standards for Internal Control in the Federal Government? (Green Book), issued in November 1999 and updated in September 2014, or the ?Internal Control ? Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992 and updated in May 2013. The Green Book and the COSO Internal Control ? Integrated Framework (COSO framework) provide specific requirements for assessing and reporting on controls in the federal government. Additional requirements applicable to nonfederal entities receiving federal funds include: (1) the Code of Federal Regulations (CFR) requirements regarding conflicts of interest, (2) guidance regarding related-party transactions in generally accepted accounting principles, and (3) the GAO Green Book and COSO framework guidance regarding segregation of duties applicable to charter schools with relationships with CMOs. Condition: RIDE?s policies, procedures, and internal control for reviewing charter schools with relationships with Charter Management Organizations (CMOs) is the same for all Local Education Agencies (LEA). Those policies and procedures do not include any specific procedures to assess the risk posed by conflicts of interest, related party transactions or insufficient segregation of duties between the Charter School and CMO. Cause: RIDE currently has one Charter School with a relationship with a CMO and they did not modify their policies, procedures, and internal controls to address the Federal requirements related to the relationship. Effect: RIDE is not in compliance with federal regulations. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-055 Enhance the policies, procedures, and internal controls over monitoring LEAs, Charter Schools, and Charter Schools with relationships to CMOs to include assessing the risk posed by conflicts of interest, related-party transactions or insufficient segregation of duties between the Charter School and CMO.
ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance for the Title 1 program. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System ? an application provided by a third-party vendor. Using this information, RIDE allocates Title I Grants to Local Education Agencies funds to the LEAs. Additionally, the LEAs submit their requests for distributions of such federal funds through Accelegrants. The State allocation of Title I funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Information Technology for agencies to comply with. Condition: Our evaluation of RIDE?s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to address critical system security requirements that, most importantly, addresses the following: ? Access Management: o There was no formal, documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. We noted that access was still available for a high number of inactive users, many with inactive periods in excess of one year. o There was no formal documented periodic review of either User Access or Privileges to validate whether the granted access was still appropriate. ? IT Risk Assessment ? there was no documented agency IT Risk Assessment process for the application and the vendor security practices. ? SOC 2 User Complementary Controls ? There was no documented evidence of agency assessment or addressing of User Complementary Controls that were specified in the vendor provided SOC 2 report. ? Vendor Management ? there is no agency evidence of IT Vendor Management oversight to ensure vendor conformance to industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Cause: Lack of dedicated resources and documentation. Effect: Potential for IT security vulnerabilities from going unresolved and impacting application and data reliability. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-056a Enhance controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document timely reviews of access privileges to determine if access is appropriate. 2022-056b Perform and document an IT Risk Assessment on a periodic basis. 2022-056c Review vendor identified user complementary controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2022-056d Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices.
RHODE ISLAND COLLEGE ? HIGHER EDUCATION EMERGENCY RELIEF FUND (HEERF) REPORTING Criteria: The CARES Act 18004(e) and the CRRSAA 314(e) requires an institution receiving funds under HEERF I and HEERF II to submit a report to the secretary, at such time in a such a manner as the secretary may require. 1.) Quarterly public reporting for institutional requires a new, separate form to be posted covering aggregate amounts spent for HEERF I, HEERF II, and HEERF III funds each quarterly reporting period due no later than 10 days after the end of each calendar quarter. 2.) The 45-day and quarterly public reporting for the student aid portion requires certain information to be posted on the website no later than 10 days after the end of each period or calendar quarter. 3.) Annual calendar year reporting covering aggregate amounts spent for HEERF I, HEERF II, and HEERF III funds to be submitted to the Department of Education. Condition: During our testing, we noted the College did not post 2 of the 4 quarterly postings within the 10-day timeframe. The College could also not provide or produce underlying support for line items 3 and 5 of the quarterly report. Also, during our testing of the annual report for the student aid and institutional aid portion, the College was unable to provide and produce support for certain line items in the report. Context: During our testing, we noted the College did not post 2 of the 4 quarterly postings within the 10 day timeframe. For 1 of the 2 reports tested, we were not provided documentation for items 3 and 5 of the student public quarterly report. During our testing of the annual report for the calendar year 2021, the College could not provide support for line items 8(a) HEERF: (a)(1) Student Aid Portion Amount Disbursed: Amount of Emergency Financial Aid Grants applied to satisfy student?s outstanding account balance upon receiving affirmative written consent from students to do so; and 8(a) HEERF: (a)(1) Institutional Portion Amount Disbursed: Amount of Emergency Financial Aid Grants applied to satisfy student?s outstanding account balance. Cause: The College did not have a process in place to ensure reports were timely uploaded to the College?s website and a process to keep documentation on file to support the reports. Effect: Failure to support the amounts within the reports and to file the quarterly reports timely may result in loss of funding. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-057 We recommend that the College review their procedures to ensure that reports are submitted timely, and that documentation is kept for all reports.
UNIVERSITY OF RHODE ISLAND ? REPORTING Criteria: Institutions receiving funds under the Higher Education Emergency Relief Fund (HEERF) are required to submit a report to the secretary, at such time in such a manner as the secretary may require. Quarterly public reporting is required to report items noted in the Federal Register, Volume 85, No. 169 and Volume 86, No. 91 ? Department of Education, Notice of Public Posting Requirements of Grant Information for HEERF. A required element is that the estimated total number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students under CARES (a)(1) subprogram and the CRRSAA and ARP (a)(1) subprograms. The University is required to establish and maintain effective internal control over the Federal award that provides reasonable assurance that the University is managing the Federal award in compliance with Federal statutes. (2 CFR subsection 200.303). Condition: The University did not include information regarding the number of students at the institution that are eligible to receive Emergency Financial Aid Grants to Students. Context: Two of the four required quarterly reports were tested, both reports omitted information regarding the number of students at the University that were eligible to receive Emergency Financial Aid Grants. Cause: The University?s system of internal control did not contain elements to ensure all information required to be reported was included in the quarterly sales reports. Effect: The University?s quarterly reports did not contain one of the required elements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-058 We recommend that the University review its internal control procedures and policies that ensure all federal grant reporting requirements are met and make changes as needed.
RHODE ISLAND COLLEGE ? HIGHER EDUCATION EMERGENCY RELIEF FUND (HEERF) REPORTING Criteria: The CARES Act 18004(e) and the CRRSAA 314(e) requires an institution receiving funds under HEERF I and HEERF II to submit a report to the secretary, at such time in a such a manner as the secretary may require. 1.) Quarterly public reporting for institutional requires a new, separate form to be posted covering aggregate amounts spent for HEERF I, HEERF II, and HEERF III funds each quarterly reporting period due no later than 10 days after the end of each calendar quarter. 2.) The 45-day and quarterly public reporting for the student aid portion requires certain information to be posted on the website no later than 10 days after the end of each period or calendar quarter. 3.) Annual calendar year reporting covering aggregate amounts spent for HEERF I, HEERF II, and HEERF III funds to be submitted to the Department of Education. Condition: During our testing, we noted the College did not post 2 of the 4 quarterly postings within the 10-day timeframe. The College could also not provide or produce underlying support for line items 3 and 5 of the quarterly report. Also, during our testing of the annual report for the student aid and institutional aid portion, the College was unable to provide and produce support for certain line items in the report. Context: During our testing, we noted the College did not post 2 of the 4 quarterly postings within the 10 day timeframe. For 1 of the 2 reports tested, we were not provided documentation for items 3 and 5 of the student public quarterly report. During our testing of the annual report for the calendar year 2021, the College could not provide support for line items 8(a) HEERF: (a)(1) Student Aid Portion Amount Disbursed: Amount of Emergency Financial Aid Grants applied to satisfy student?s outstanding account balance upon receiving affirmative written consent from students to do so; and 8(a) HEERF: (a)(1) Institutional Portion Amount Disbursed: Amount of Emergency Financial Aid Grants applied to satisfy student?s outstanding account balance. Cause: The College did not have a process in place to ensure reports were timely uploaded to the College?s website and a process to keep documentation on file to support the reports. Effect: Failure to support the amounts within the reports and to file the quarterly reports timely may result in loss of funding. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-057 We recommend that the College review their procedures to ensure that reports are submitted timely, and that documentation is kept for all reports.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
TIME AND EFFORT REPORTING RIDOH?s time and effort reporting for general COVID-related activities did not provide adequate detail to fully support personnel costs charged to federal programs. Background: RIDOH has built robust, but complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State?s payroll system and accounting system is performed on a quarterly basis and amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time spent on the various activities. Due to the challenges at the start of the pandemic and uncertainty regarding how costs would be funded, RIDOH adopted a general timesheet category for COVID-19 related personnel activities. Time and effort charged to this category ultimately gets allocated to federal programs in conjunction with RIDOH?s quarterly allocation of personnel costs. Criteria: 45 CFR 75.430(i)(1) requires that ?Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.? Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: ? Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Immunization program, while RIDOH was able to provide timesheets for all selected pay periods, 7 of the 74 selected weekly timesheets lacked either an employee or supervisor signature. For the ELC program, 3 of the 74 selected weekly timesheets lacked supervisor signatures, and there was no provided support, including a timesheet, for one selected payroll transaction. ? Time and effort identified to the general COVID-19 category lacked sufficient detail (i.e., underlying activity performed in support of COVID-19 response) to support its specific federal program allocation. While we found that the allowability for personnel costs charged to the underlying programs was reasonable based on the employee?s position and responsibilities, improved timesheet documentation detailing the specific activities worked by the employee (in relation to COVID-19 response) would significantly improve supporting documentation of allowable costs for these programs. Cause: The challenges in responding to the COVID 19 pandemic dramatically complicated RIDOH?s allocation of personnel expenditures amongst federal programs. The State?s lack of sufficient timesheet detail for designated COVID-19 time and effort activities (in conjunction with a lack of an integrated time and effort reporting system to easily allocate personnel costs over multiple funding sources) prevented direct verification of recorded timesheet activities to the underlying charge on federal programs. Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-059 Enhance weekly reporting of time and effort for COVID-19 activities to improve documentation and support for personnel costs charged to federal programs.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
TIME AND EFFORT REPORTING RIDOH?s time and effort reporting for general COVID-related activities did not provide adequate detail to fully support personnel costs charged to federal programs. Background: RIDOH has built robust, but complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State?s payroll system and accounting system is performed on a quarterly basis and amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time spent on the various activities. Due to the challenges at the start of the pandemic and uncertainty regarding how costs would be funded, RIDOH adopted a general timesheet category for COVID-19 related personnel activities. Time and effort charged to this category ultimately gets allocated to federal programs in conjunction with RIDOH?s quarterly allocation of personnel costs. Criteria: 45 CFR 75.430(i)(1) requires that ?Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.? Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: ? Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Immunization program, while RIDOH was able to provide timesheets for all selected pay periods, 7 of the 74 selected weekly timesheets lacked either an employee or supervisor signature. For the ELC program, 3 of the 74 selected weekly timesheets lacked supervisor signatures, and there was no provided support, including a timesheet, for one selected payroll transaction. ? Time and effort identified to the general COVID-19 category lacked sufficient detail (i.e., underlying activity performed in support of COVID-19 response) to support its specific federal program allocation. While we found that the allowability for personnel costs charged to the underlying programs was reasonable based on the employee?s position and responsibilities, improved timesheet documentation detailing the specific activities worked by the employee (in relation to COVID-19 response) would significantly improve supporting documentation of allowable costs for these programs. Cause: The challenges in responding to the COVID 19 pandemic dramatically complicated RIDOH?s allocation of personnel expenditures amongst federal programs. The State?s lack of sufficient timesheet detail for designated COVID-19 time and effort activities (in conjunction with a lack of an integrated time and effort reporting system to easily allocate personnel costs over multiple funding sources) prevented direct verification of recorded timesheet activities to the underlying charge on federal programs. Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-059 Enhance weekly reporting of time and effort for COVID-19 activities to improve documentation and support for personnel costs charged to federal programs.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
TIME AND EFFORT REPORTING RIDOH?s time and effort reporting for general COVID-related activities did not provide adequate detail to fully support personnel costs charged to federal programs. Background: RIDOH has built robust, but complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State?s payroll system and accounting system is performed on a quarterly basis and amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time spent on the various activities. Due to the challenges at the start of the pandemic and uncertainty regarding how costs would be funded, RIDOH adopted a general timesheet category for COVID-19 related personnel activities. Time and effort charged to this category ultimately gets allocated to federal programs in conjunction with RIDOH?s quarterly allocation of personnel costs. Criteria: 45 CFR 75.430(i)(1) requires that ?Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.? Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: ? Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Immunization program, while RIDOH was able to provide timesheets for all selected pay periods, 7 of the 74 selected weekly timesheets lacked either an employee or supervisor signature. For the ELC program, 3 of the 74 selected weekly timesheets lacked supervisor signatures, and there was no provided support, including a timesheet, for one selected payroll transaction. ? Time and effort identified to the general COVID-19 category lacked sufficient detail (i.e., underlying activity performed in support of COVID-19 response) to support its specific federal program allocation. While we found that the allowability for personnel costs charged to the underlying programs was reasonable based on the employee?s position and responsibilities, improved timesheet documentation detailing the specific activities worked by the employee (in relation to COVID-19 response) would significantly improve supporting documentation of allowable costs for these programs. Cause: The challenges in responding to the COVID 19 pandemic dramatically complicated RIDOH?s allocation of personnel expenditures amongst federal programs. The State?s lack of sufficient timesheet detail for designated COVID-19 time and effort activities (in conjunction with a lack of an integrated time and effort reporting system to easily allocate personnel costs over multiple funding sources) prevented direct verification of recorded timesheet activities to the underlying charge on federal programs. Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-059 Enhance weekly reporting of time and effort for COVID-19 activities to improve documentation and support for personnel costs charged to federal programs.
INSUFFICIENT DOCUMENTATION OF SUBAWARD AGREEMENTS TO SUPPORT ALLOCATION OF SUBRECIPIENT PAYMENTS TO THE ELC PROGRAM RIDOH lacked sufficient documentation of subawards (subrecipient agreements) to support the allocation of subrecipient payments to the ELC program. Criteria: 45 CFR 75.352 (a) ?Requirements for pass-through entities?, requires all pass-through entities to ?ensure that every subaward is clearly identified to the subrecipient as a subaward? and to include certain prescribed information, including the CFDA [Assistance Listing] number and name. The pass-through entity must ?identify the dollar amount made available under each Federal award and the CFDA number at the time of disbursement?. Condition: We tested a sample of 59 payments to subrecipients and the underlying subaward contracts for the required federal award information. Of the related 45 subaward contracts reviewed, we noted three instances where the original contracts expired prior to the beginning of the fiscal year and the related extensions did not identify the ELC program as an applicable federal funding source. RIDOH leveraged preexisting contracts to local entities identified as ?health equity zones? (HEZs). The health equity zone contracts include numerous contract amendments extending those agreements. The extensions reviewed in fiscal 2021 appropriately indicated ELC as a federal funding source of the subaward. In fiscal 2022, subaward agreements were again extended, however, in the case of three subaward agreements reviewed, the ELC program was not indicated as an applicable federal funding source. Proper identification of the relevant federal program information, including the relevant Assistance Listing number, is critical to ensuring that subrecipients are aware of the program restrictions to which they are required to adhere. Cause: Insufficient documentation to support the allowability of certain subawards charged to the ELC program. Effect: Potential noncompliance due to a lack of documentation to support allowability in accordance with federal regulations. Absence of the relevant identifying federal program information in subaward agreements increases the risk of noncompliance with federal regulations by the subrecipient. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-060 Ensure all subrecipient contracts and subsequent amendments contain the relevant identifying federal program information as required by Uniform Guidance.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
CONTROLS OVER PANDEMIC-RELATED EXPENDITURES ALLOCABLE TO MULTIPLE FEDERAL AWARDS The State had insufficient controls to ensure expenditures were not reimbursed from more than one award under federal programs with similar pandemic response related objectives. Background: The State received an unprecedented amount of federal assistance to respond to the effects of the global pandemic including $1.25 billion for the Coronavirus Relief Fund (CRF) pursuant to the CARES Act. Assistance was also received under the FEMA Stafford Act Disaster Grants program and the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program. Certain costs were reimbursable under any of these programs and federal guidance was continually evolving which resulted in changing direction as to which costs were to be applied to a specific federal award. As guidelines and circumstances changed expenditures were often applied to one funding source and then subsequently adjusted to another funding source. Adjustments of program expenditures between federal programs often overlapped fiscal years due to the length of the pandemic. Criteria: Expenditures may only be reimbursed from one federal award. Condition: Due to changing federal guidelines and the evolving State response to the pandemic, costs were often charged to one funding source and then later moved to another funding source. When expenditures are reclassified or reallocated within the RIFANS accounting system, journal entries are used to move the aggregate dollar activity; however, the original transaction (expenditure/disbursement) remains in the account originally charged offset by a credit. This process complicates the identification of the underlying expenditures reimbursed by the federal award and increases the risk that expenditures could be reimbursed from more than one federal award. During fiscal 2022, we noted the following adjustments to financial activity supporting the cited control deficiency: ? Approximately $6.0 million in expenditures were adjusted from ELC to FEMA, and $2.9 million in expenditures adjusted from FEMA to ELC, including $2.3 million that is identified as ineligible for reimbursement to FEMA?s Disaster Grants program. ? Approximately $7.0 million was adjusted from CRF to FEMA?s Disaster Grants program and another $1.9 million from FEMA?s Disaster Grants program to CRF. Of those, $423,902 were identified as ineligible for reimbursement to FEMA?s Disaster Grants program, including some from the prior fiscal year. Controls were insufficient to ensure that costs were not reimbursed from more than one federal award. The State?s process for recording accounting adjustments via aggregate dollar journal entries limits the effectiveness of controls to prevent duplicate reimbursement from federal funding sources. Reconciliations to adequately identify any potential duplicate reimbursements were incomplete during fiscal 2022 but continued after the close of the fiscal year. Numerous journal entries were subsequently processed in fiscal 2022 to adjust COVID-related activity, for expenditures claimed in fiscal 2021 and fiscal 2020, between federal funding sources (principally CRF, FEMA, and ELC). While we acknowledge that the State has performed significant reconciliation procedures to identify instances where expenditures were charged to multiple federal programs, the manually intensive nature of those procedures does not fully mitigate the risk of the control deficiency. Cause: Due to the rapid response required during the pandemic, the existence of multiple federal funding sources, and continually evolving federal guidance, costs were moved and adjusted in the accounting system to various funding sources, which increased the risk that a cost could be reimbursed from more than one federal award. Effect: Potential duplicate reimbursement of expenditures from more than one federal award. Potential of charging costs for unallowable activities to federal programs as the expenditure detail is not maintained when expenditures are adjusted in the accounting system. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-052 Ensure reconciliations and any required adjustments are complete to demonstrate that eligible COVID program costs were not reimbursed from more than one federal funding source.
TIME AND EFFORT REPORTING RIDOH?s time and effort reporting for general COVID-related activities did not provide adequate detail to fully support personnel costs charged to federal programs. Background: RIDOH has built robust, but complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State?s payroll system and accounting system is performed on a quarterly basis and amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time spent on the various activities. Due to the challenges at the start of the pandemic and uncertainty regarding how costs would be funded, RIDOH adopted a general timesheet category for COVID-19 related personnel activities. Time and effort charged to this category ultimately gets allocated to federal programs in conjunction with RIDOH?s quarterly allocation of personnel costs. Criteria: 45 CFR 75.430(i)(1) requires that ?Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.? Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: ? Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. For the Immunization program, while RIDOH was able to provide timesheets for all selected pay periods, 7 of the 74 selected weekly timesheets lacked either an employee or supervisor signature. For the ELC program, 3 of the 74 selected weekly timesheets lacked supervisor signatures, and there was no provided support, including a timesheet, for one selected payroll transaction. ? Time and effort identified to the general COVID-19 category lacked sufficient detail (i.e., underlying activity performed in support of COVID-19 response) to support its specific federal program allocation. While we found that the allowability for personnel costs charged to the underlying programs was reasonable based on the employee?s position and responsibilities, improved timesheet documentation detailing the specific activities worked by the employee (in relation to COVID-19 response) would significantly improve supporting documentation of allowable costs for these programs. Cause: The challenges in responding to the COVID 19 pandemic dramatically complicated RIDOH?s allocation of personnel expenditures amongst federal programs. The State?s lack of sufficient timesheet detail for designated COVID-19 time and effort activities (in conjunction with a lack of an integrated time and effort reporting system to easily allocate personnel costs over multiple funding sources) prevented direct verification of recorded timesheet activities to the underlying charge on federal programs. Effect: Personnel costs reimbursed from Federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-059 Enhance weekly reporting of time and effort for COVID-19 activities to improve documentation and support for personnel costs charged to federal programs.
INSUFFICIENT DOCUMENTATION OF SUBAWARD AGREEMENTS TO SUPPORT ALLOCATION OF SUBRECIPIENT PAYMENTS TO THE ELC PROGRAM RIDOH lacked sufficient documentation of subawards (subrecipient agreements) to support the allocation of subrecipient payments to the ELC program. Criteria: 45 CFR 75.352 (a) ?Requirements for pass-through entities?, requires all pass-through entities to ?ensure that every subaward is clearly identified to the subrecipient as a subaward? and to include certain prescribed information, including the CFDA [Assistance Listing] number and name. The pass-through entity must ?identify the dollar amount made available under each Federal award and the CFDA number at the time of disbursement?. Condition: We tested a sample of 59 payments to subrecipients and the underlying subaward contracts for the required federal award information. Of the related 45 subaward contracts reviewed, we noted three instances where the original contracts expired prior to the beginning of the fiscal year and the related extensions did not identify the ELC program as an applicable federal funding source. RIDOH leveraged preexisting contracts to local entities identified as ?health equity zones? (HEZs). The health equity zone contracts include numerous contract amendments extending those agreements. The extensions reviewed in fiscal 2021 appropriately indicated ELC as a federal funding source of the subaward. In fiscal 2022, subaward agreements were again extended, however, in the case of three subaward agreements reviewed, the ELC program was not indicated as an applicable federal funding source. Proper identification of the relevant federal program information, including the relevant Assistance Listing number, is critical to ensuring that subrecipients are aware of the program restrictions to which they are required to adhere. Cause: Insufficient documentation to support the allowability of certain subawards charged to the ELC program. Effect: Potential noncompliance due to a lack of documentation to support allowability in accordance with federal regulations. Absence of the relevant identifying federal program information in subaward agreements increases the risk of noncompliance with federal regulations by the subrecipient. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-060 Ensure all subrecipient contracts and subsequent amendments contain the relevant identifying federal program information as required by Uniform Guidance.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
TANF ELIGIBILITY ? RIBRIDGES The State can improve compliance with TANF eligibility requirements specifically by ensuring consistent documentation of eligibility components within RIBridges. Background: RIBridges is the State?s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges system operation has been problematic since implementation and efforts to address eligibility processing challenges are ongoing. Enhanced federal funding for new eligibility systems was approved to provide more efficient, economical, and effective administration of these human service programs. Criteria: Federal regulation 45 CFR 260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires (the state agency) ?to maintain records to support eligibility, including facts to support the client?s need for assistance. The State?s policies and procedures require that documentation used to verify eligibility be maintained in the case file.? Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. When evaluating exceptions relating to case documentation deficiencies, questioned costs and consideration of material noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. [See Schedule of Findings and Questioned Costs for table.] While applicant-attested information in most cases supported applicant eligibility for TANF, the lack of required critical supporting documentation in 4.4% of the case files tested, in addition to the high number of other documentation deficiencies noted, was deemed to be a material weakness in internal control over TANF eligibility. Cause: Most case errors noted resulted from worker noncompliance with documentation requirements for elements of eligibility determination. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Effect: Ineffective controls over the eligibility process for TANF increase the potential for payment of benefits to ineligible families and/or payment of incorrect benefit amounts. Questioned Costs: $10,005 Valid Statistical Sampling: Yes RECOMMENDATION 2022-061 Improve policies and procedures to ensure that all required eligibility compliance requirements are documented within RIBridges.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
TANF ELIGIBILITY ? RIBRIDGES The State can improve compliance with TANF eligibility requirements specifically by ensuring consistent documentation of eligibility components within RIBridges. Background: RIBridges is the State?s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges system operation has been problematic since implementation and efforts to address eligibility processing challenges are ongoing. Enhanced federal funding for new eligibility systems was approved to provide more efficient, economical, and effective administration of these human service programs. Criteria: Federal regulation 45 CFR 260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires (the state agency) ?to maintain records to support eligibility, including facts to support the client?s need for assistance. The State?s policies and procedures require that documentation used to verify eligibility be maintained in the case file.? Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. When evaluating exceptions relating to case documentation deficiencies, questioned costs and consideration of material noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. [See Schedule of Findings and Questioned Costs for table.] While applicant-attested information in most cases supported applicant eligibility for TANF, the lack of required critical supporting documentation in 4.4% of the case files tested, in addition to the high number of other documentation deficiencies noted, was deemed to be a material weakness in internal control over TANF eligibility. Cause: Most case errors noted resulted from worker noncompliance with documentation requirements for elements of eligibility determination. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Effect: Ineffective controls over the eligibility process for TANF increase the potential for payment of benefits to ineligible families and/or payment of incorrect benefit amounts. Questioned Costs: $10,005 Valid Statistical Sampling: Yes RECOMMENDATION 2022-061 Improve policies and procedures to ensure that all required eligibility compliance requirements are documented within RIBridges.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
CONTROLS OVER ELIGIBILITY, INCOME VALIDATION, AND DETERMINATION OF PARENT COST-SHARING AMOUNTS RIBridges controls over eligibility determinations, income validation, and calculation of required parent cost-sharing amounts require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility specifically need improvement to support compliance with federal regulations. Background: RIBridges is the State?s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges system operation has been problematic since implementation and efforts to address eligibility processing challenges are ongoing. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR section 98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR section 98.45(k)(4)). Condition: RIBridges lacked effective income validation controls to determine program eligibility and potential family co-share amounts. Documentation supporting child care program eligibility was not found in 8 out of the 40 sample cases we reviewed, resulting in a 20% error rate. We considered a 20% error rate to represent material noncompliance with federal regulations over childcare eligibility requirements. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Cause: Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined. Effect: Noncompliance with childcare eligibility requirements. Parental income/co-shares were incorrectly determined in some cases. Failure to end benefits timely when applicant employment ended. Questioned Costs: $38,985 Valid Statistical Sampling: Yes RECOMMENDATION 2022-062 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record and appropriate consideration of parent earnings information for determination of parent co-shares.
CCDF ? ALLOWABLE COSTS ? OTHER MATTERS Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA). Criteria: Uniform Guidance section 200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. Condition: During our audit inquiries during the fiscal 2022 audit of the CCDF Cluster, the State?s Office of Internal Audit (OIA) disclosed potential fraud relating to the Child Care Program that they discovered in relation to claiming that predated fiscal 2021 (prior to relaxation of program requirements during the public health emergency). OIA identified claiming for unreported absences, excess absences, and failure to report change in enrollment status. The OIA?s findings were communicated to law enforcement and charges were filed against the related Child Care provider. Potential claiming in relation to the OIA?s findings approximated $820,000 in Child Care payments. Cause: Potential fraud committed by a Child Care provider not detected by program controls. Effect: Child Care payments were made to a provider for ineligible services billed. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-063 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
ADMINISTRATIVE ASSESSMENT CHARGED TO PANDEMIC-RELATED FEDERAL PROGRAMS WITHOUT FEDERAL APPROVAL Questioned costs were identified for an administrative assessment charged to pandemic-related federal awards without the methodology being approved by the federal government as required by the Uniform Guidance. Criteria: Consistent with Uniform Guidance cost principles, allocated centralized costs to federal programs are required to be included in the State?s statewide cost allocation plan. This plan is submitted annually for approval by the State?s federal cognizant agency, the U.S. Department of Health and Human Services. The Uniform Guidance further defines allocated central services as ?central services that benefit operating agencies but are not billed to the agencies on a fee-for-service or similar basis. These costs are allocated to benefitted agencies on some reasonable basis?. Condition: During fiscal 2022, the State employed an administrative assessment on certain pandemic-related federal programs without seeking and receiving federal approval for the allocation of the costs. The assessment was designed to eventually fund the State?s costs of administering new federal programs relating to the COVID-19 public health emergency. The State implemented this process in response to the adoption of a newly established State law, Rhode Island General Law ?35-1.1-5. The law authorized an assessment on all federal programs administered by the State (with an additional assessment on COVID-19 pandemic related assistance). The methodology implemented, however, still had to comply with the requirements of federal Uniform Guidance which the State had not sought at the time of our audit. The lack of an approved federal methodology for the administrative assessment resulted in identified questioned costs of $6.1 million in fiscal 2022. That included $4.8 million relating to various major programs subject to Single Audit testing in fiscal 2022 and an additional $1.3 million identified for other federal programs (with questioned costs greater than $25,000 for those programs) which are also required to be reported under the Uniform Guidance. Cause: The State did not seek federal approval for the charged administrative assessment (adding to the State?s federally approved Statewide Cost Allocation Plan (SWCAP) would have been the most efficient manner to obtain federal approval). Effect: Centralized costs were allocated to several federal programs without an approved cost allocation methodology required by the Uniform Guidance. Questioned Costs: $6,114,755 (see table below for program detail): [See Schedule of Findings and Questioned Costs for table.] Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-037a Reimburse administrative assessments charged to federal programs pending federal acceptance of an approved cost allocation methodology. 2022-037b Submit cost allocation methodology for pandemic-related federal funds to federal government for approval. Amend the 2022 SWCAP to seek retroactive approval for fiscal 2022 costs allocated.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
CONTROLS OVER ELIGIBILITY, INCOME VALIDATION, AND DETERMINATION OF PARENT COST-SHARING AMOUNTS RIBridges controls over eligibility determinations, income validation, and calculation of required parent cost-sharing amounts require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility specifically need improvement to support compliance with federal regulations. Background: RIBridges is the State?s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges system operation has been problematic since implementation and efforts to address eligibility processing challenges are ongoing. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR section 98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR section 98.45(k)(4)). Condition: RIBridges lacked effective income validation controls to determine program eligibility and potential family co-share amounts. Documentation supporting child care program eligibility was not found in 8 out of the 40 sample cases we reviewed, resulting in a 20% error rate. We considered a 20% error rate to represent material noncompliance with federal regulations over childcare eligibility requirements. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Cause: Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined. Effect: Noncompliance with childcare eligibility requirements. Parental income/co-shares were incorrectly determined in some cases. Failure to end benefits timely when applicant employment ended. Questioned Costs: $38,985 Valid Statistical Sampling: Yes RECOMMENDATION 2022-062 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record and appropriate consideration of parent earnings information for determination of parent co-shares.
CCDF ? ALLOWABLE COSTS ? OTHER MATTERS Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA). Criteria: Uniform Guidance section 200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. Condition: During our audit inquiries during the fiscal 2022 audit of the CCDF Cluster, the State?s Office of Internal Audit (OIA) disclosed potential fraud relating to the Child Care Program that they discovered in relation to claiming that predated fiscal 2021 (prior to relaxation of program requirements during the public health emergency). OIA identified claiming for unreported absences, excess absences, and failure to report change in enrollment status. The OIA?s findings were communicated to law enforcement and charges were filed against the related Child Care provider. Potential claiming in relation to the OIA?s findings approximated $820,000 in Child Care payments. Cause: Potential fraud committed by a Child Care provider not detected by program controls. Effect: Child Care payments were made to a provider for ineligible services billed. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-063 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
CONTROLS OVER ELIGIBILITY, INCOME VALIDATION, AND DETERMINATION OF PARENT COST-SHARING AMOUNTS RIBridges controls over eligibility determinations, income validation, and calculation of required parent cost-sharing amounts require strengthening for the CCDF Cluster programs. Controls to improve the documentation of eligibility specifically need improvement to support compliance with federal regulations. Background: RIBridges is the State?s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and provide for periodic validation of client attested data through multiple electronic interfaces. RIBridges system operation has been problematic since implementation and efforts to address eligibility processing challenges are ongoing. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the childcare program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR section 98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR section 98.45(k)(4)). Condition: RIBridges lacked effective income validation controls to determine program eligibility and potential family co-share amounts. Documentation supporting child care program eligibility was not found in 8 out of the 40 sample cases we reviewed, resulting in a 20% error rate. We considered a 20% error rate to represent material noncompliance with federal regulations over childcare eligibility requirements. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Cause: Eligibility exceptions noted resulted from worker noncompliance with documentation requirements supporting eligibility determinations. Additional focus and training are required to ensure consistent documentation of eligibility components within RIBridges. Controls over the input of payroll information were also deficient, resulting in improper co-share amounts being determined. Effect: Noncompliance with childcare eligibility requirements. Parental income/co-shares were incorrectly determined in some cases. Failure to end benefits timely when applicant employment ended. Questioned Costs: $38,985 Valid Statistical Sampling: Yes RECOMMENDATION 2022-062 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record and appropriate consideration of parent earnings information for determination of parent co-shares.
CCDF ? ALLOWABLE COSTS ? OTHER MATTERS Likely questioned costs were identified in conjunction with a fraud investigation performed by the Office of Internal Audit (OIA). Criteria: Uniform Guidance section 200.516(a)(6) states that the auditor must report known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. Condition: During our audit inquiries during the fiscal 2022 audit of the CCDF Cluster, the State?s Office of Internal Audit (OIA) disclosed potential fraud relating to the Child Care Program that they discovered in relation to claiming that predated fiscal 2021 (prior to relaxation of program requirements during the public health emergency). OIA identified claiming for unreported absences, excess absences, and failure to report change in enrollment status. The OIA?s findings were communicated to law enforcement and charges were filed against the related Child Care provider. Potential claiming in relation to the OIA?s findings approximated $820,000 in Child Care payments. Cause: Potential fraud committed by a Child Care provider not detected by program controls. Effect: Child Care payments were made to a provider for ineligible services billed. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-063 Evaluate the underlying allegations of program fraud and return funds to the federal government that did not meet federal requirements.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN?S HEALTH INSURANCE PROGRAM (CHIP) ? MATERIAL NONCOMPLIANCE The State did not materially comply with CHIP eligibility requirements during fiscal 2022. RIBridges is not fully evaluating all eligibility criteria to ensure compliance with federal regulations. Background: RIBridges, the State?s computer system used to manage multiple federally funded human service programs, determines eligibility for CHIP. During fiscal 2022, in response to the COVID-19 public health emergency (PHE), federal guidance and temporary changes to the State Plan continued to limit the State?s data verification procedures when evaluating eligibility of new program applicants and prohibited modifying recipient eligibility of existing recipients during the PHE. This finding focuses on the results from testing the more limited controls in place during fiscal 2022. Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty limit (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for individuals with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage would be eligible for Medical Assistance. Condition: Controls over CHIP eligibility determinations, except for the limitations described above, were largely unchanged during fiscal 2022. While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $4.9 million) through querying the MMIS for individuals meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility. For fiscal 2022, we tested a sample of 40 capitation payments (total population of 1.6 million payments totaling $107.7 million, federal share - $65.8 million) claimed to CHIP for limited eligibility requirements deemed applicable during the PHE. Operational and control deficiencies during fiscal 2022 resulted in material noncompliance with eligibility requirements for CHIP. For all exceptions, the State did not consider the existence of third-party health coverage when determining eligibility for CHIP. We found that two individuals out of the 40 tested were covered by existing health coverage at the time of the claim for a 5% error rate. The citizenship of one of the individuals considered ineligible was also not documented in accordance with federal regulations. Capitation and claims paid in relation to these individuals totaled $5,823 during fiscal 2022 (federal questioned costs - $4,237). These costs would be eligible for claiming to Medicaid. During fiscal 2022, RIBridges was not currently evaluating existing health coverage in conjunction with determining CHIP eligibility, a practice inconsistent with the CHIP State Plan. The State?s most effective data source for identifying third-party insurance (automated TPL data match with private insurers) is utilized in the MMIS but was not interfacing with RIBridges during fiscal 2022. Cause: Noncompliance with CHIP eligibility requirements is caused by CHIP specific programming deficiencies within RIBridges, most notably, the lack of functionality to consider the availability of existing health coverage at the time of application. Effect: Material noncompliance with federal requirements relating to recipient eligibility for CHIP. Questioned Costs: $4,237 Valid Statistical Sampling: Yes RECOMMENDATIONS 2022-064a Address and correct the RIBridges system deficiencies which weaken controls and result in material noncompliance with federal regulations regarding CHIP eligibility. 2022-064b Identify ineligible CHIP costs and return to the federal grantor.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2022-003. Capitation payments to MCOs represent approximately 60% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for individuals enrolled in managed care during fiscal 2022 approximated $1.9 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 303,301 Medicaid eligible individuals - approximately 91% of total Medicaid enrollees at June 30, 2022. These capitation payments related to the following managed care programs within the State?s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. These programs, however, operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Center for Medicare & Medicaid Services overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are impacted by the control deficiencies described in Finding 2022-003 relating to the State?s financial reporting and Finding 2022-065 relating to noncompliance with the federal requirements for MCO audit provisions. These deficiencies also impact controls over federal compliance with allowable cost principles in relation to managed care contract settlements. Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: Finding 2022-003, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls ? Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. Finding 2022-065, Managed Care Financial Audit ? CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State?s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2021 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2021 contract settlements. [See Schedule of Findings and Questioned Costs for table.] We also assessed controls to ensure the timely termination of eligibility for deceased individuals to prevent continued payment of managed care capitation after death. We found that the State had not ended eligibility in the MMIS for 127 individuals within 90 days of the date of death. This control deficiency resulted in managed care capitation totaling $467,740 (federal share - $391,994) paid for individuals who had been deceased for more than 90 days. Of that group, 77 individuals remained Medicaid active with capitation paid to the managed care organization for more than 180 days after death. While the State can recoup the capitation once the individual?s death is recorded and eligibility is ended, the delay in termination for deceased individuals further weakens overall controls relating to managed care contract settlements. The State should improve controls to ensure that capitation payments are not continued for Medicaid recipients after death. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: $391,994 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-067a Improve controls over compliance requirements for the allowability of federal expenditures by addressing related internal control deficiencies (including system limitations) over financial reporting and federal noncompliance that specifically impacts financial settlements with managed care organizations. 2022-067b Improve controls to ensure the timely termination of Medicaid eligibility for deceased individuals to prevent continued payment of managed care capitation after death.
FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State?s RIFANS accounting system is the official record of federal program expenditures and therefore should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures to authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2022 noted the following reporting deficiencies: ? Approximately $3.3 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. ? Reconciling administrative expenditures to the State Accounting System was not performed consistently by the State?s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. ? Amounts reported for benefit expenditures on the CMS-64 Report were in excess of amounts reported in the State Accounting System. While EOHHS believes this was caused by new reporting for reinvestments of the additional 10% federal reimbursement on home and community based services, EOHHS?s reconciliation between the CMS-64 Report and the State Accounting System did not provide documentation supporting the federal reporting difference. ? Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS-64 Report requirements. EOHHS, however, needs to consider whether other healthcare related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State Accounting System represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS-64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-068a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State?s integrated eligibility system. 2022-068b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2022-068c Conduct an analysis of healthcare related fees and taxes levied by the State to determine if other healthcare related taxes require reporting in the CMS-64 Report.
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR INDIVIDUALS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payor of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible individuals. For individuals enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. The State does not share identified TPL information with the MCOs. Criteria: 42 CFR section 433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island?s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid Program. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: Identification of TPL by managed care organizations - During fiscal 2022, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (individuals with Medicaid eligibility for the entire year) had verified TPL coverage that was similar to their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that possibly could have been cost avoided. We selected a random sample of encounter claims where the State reported verified third party liability coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Of the twenty instances where the State had verified insurance coverage for Medicaid individuals with three MCOs, those MCOs only had record of TPL in four of the instances. Validity of State Reported TPL Data - As a follow-up to the low number of TPL segments confirmed by the MCOs, we did an analysis of the State?s verified third party insurance data to evaluate its accuracy. With a concern that the State?s reported TPL verification was not completely reliable, we held discussions with EOHHS regarding the issue. EOHHS indicated that concerns had recently surfaced in regards to reported TPL in the MMIS. EOHHS had concerns that while the TPL data match was effectively identifying TPL segments, the interface with the MMIS was less effective in terminating active segments when coverage ended. Based on that concern, we performed an age analysis on current validated TPL segments at June 30, 2022 to evaluate EOHHS?s concerns. Our analysis was based on the likelihood that the older the TPL segment was, the more likely it was that the reported insurance coverage may no longer be effective. Our analysis identified that 62% of the reported 87,138 verified active TPL segments reported in the MMIS as of June 30, 2022 were older than 3 years old, and 36% were older than 5 years old. The high percentage of older TPL segments supports the concerns shared by EOHHS. Approximately 10% of reported verified TPL segments were older than 10 years. While possible, the likelihood that a verified TPL segment would not have any change required (i.e., policy number, coverage type, plan change) over those periods is questionable. Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2022 continue to support the need for immediate action by EOHHS. Immediate corrective actions are needed to first validate TPL data currently residing in the MMIS system. EOHHS should immediately require its MMIS contractor to validate TPL segments for active Medicaid recipients. Once validated, the MMIS contractor should address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. Additionally, once the validated TPL data segments are identified for current Medicaid recipients, that data should be shared with the managed care organizations to ensure that those entities have updated recipient TPL data. EOHHS should also implement enhanced monitoring procedures over MCO TPL identification and cost avoidance to ensure that the MCOs are complying with federal regulations and contractual agreements. Cause: Control deficiencies resulting in inaccurate TPL data residing in the MMIS. Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-069a Coordinate with the MMIS contractor to validate TPL segments for active Medicaid recipients and address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. 2022-069b Share and match identified TPL coverage with the MCOs upon enrollment and as an individual?s TPL status changes. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CONTROLS OVER CRITICAL SYSTEM DATA INTERFACES WITHIN THE RIBRIDGES ELIGIBILITY SYSTEM Controls need to be improved to ensure that critical external data interfaces are operating as designed within the RIBridges system. Background: The State?s integrated eligibility system, RIBridges, was designed to utilize various external data sources interfaced with the system to validate applicant data. The objective was to eliminate the need for applicants to provide documentation supporting their eligibility for Medicaid or CHIP if the information was validated by independent external data sources. RIBridges utilizes the State Wage Information Collection Agency (SWICA) data, quarterly employer wage data, provided by the RI Department of Labor and Training (DLT) to validate reported applicant income. SWICA represents a critical external data source and interface within RIBridges. Criteria: The State selected SWICA data as a primary source to validate reported income by Medicaid and CHIP applicants. Federal regulations require that States maintain effective internal controls to ensure compliance with federal eligibility requirements for both programs, including the verification of applicant income. Inclusive in that responsibility are monitoring procedures to ensure that controls are operating as designed. Condition: Certain data mining procedures applied in conjunction with the testing of Medicaid eligibility for fiscal 2022, identified a significant number of State employees receiving Medical Assistance during the year. Analysis of the identified cases found that most were eligible for Medicaid or remained eligible due to federal restrictions on eligibility terminations during the public health emergency period. Our detailed case reviews, however, did identify some cases where known employee wages were not reporting through the SWICA interface as expected. Further follow-up with EOHHS staff identified that the SWICA interface was not operating as designed. Cause: The SWICA interface was not operating in accordance with its design objectives. DLT was reporting no income for employers with late quarterly filings. DLT was also not updating the data file periodically to populate late employer quarterly filings. Significant additional monitoring is needed over critical external data interfaces to ensure operational effectiveness. Effect: Eligibility for Medical Assistance for ineligible applicants. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-070a Correct operational deficiencies identified within RIBridges income validation interface. 2022-070b Implement monitoring procedures for critical external interfaces designed within RIBridges.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN?S HEALTH INSURANCE PROGRAM (CHIP) ? MATERIAL NONCOMPLIANCE The State did not materially comply with CHIP eligibility requirements during fiscal 2022. RIBridges is not fully evaluating all eligibility criteria to ensure compliance with federal regulations. Background: RIBridges, the State?s computer system used to manage multiple federally funded human service programs, determines eligibility for CHIP. During fiscal 2022, in response to the COVID-19 public health emergency (PHE), federal guidance and temporary changes to the State Plan continued to limit the State?s data verification procedures when evaluating eligibility of new program applicants and prohibited modifying recipient eligibility of existing recipients during the PHE. This finding focuses on the results from testing the more limited controls in place during fiscal 2022. Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty limit (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for individuals with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage would be eligible for Medical Assistance. Condition: Controls over CHIP eligibility determinations, except for the limitations described above, were largely unchanged during fiscal 2022. While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $4.9 million) through querying the MMIS for individuals meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility. For fiscal 2022, we tested a sample of 40 capitation payments (total population of 1.6 million payments totaling $107.7 million, federal share - $65.8 million) claimed to CHIP for limited eligibility requirements deemed applicable during the PHE. Operational and control deficiencies during fiscal 2022 resulted in material noncompliance with eligibility requirements for CHIP. For all exceptions, the State did not consider the existence of third-party health coverage when determining eligibility for CHIP. We found that two individuals out of the 40 tested were covered by existing health coverage at the time of the claim for a 5% error rate. The citizenship of one of the individuals considered ineligible was also not documented in accordance with federal regulations. Capitation and claims paid in relation to these individuals totaled $5,823 during fiscal 2022 (federal questioned costs - $4,237). These costs would be eligible for claiming to Medicaid. During fiscal 2022, RIBridges was not currently evaluating existing health coverage in conjunction with determining CHIP eligibility, a practice inconsistent with the CHIP State Plan. The State?s most effective data source for identifying third-party insurance (automated TPL data match with private insurers) is utilized in the MMIS but was not interfacing with RIBridges during fiscal 2022. Cause: Noncompliance with CHIP eligibility requirements is caused by CHIP specific programming deficiencies within RIBridges, most notably, the lack of functionality to consider the availability of existing health coverage at the time of application. Effect: Material noncompliance with federal requirements relating to recipient eligibility for CHIP. Questioned Costs: $4,237 Valid Statistical Sampling: Yes RECOMMENDATIONS 2022-064a Address and correct the RIBridges system deficiencies which weaken controls and result in material noncompliance with federal regulations regarding CHIP eligibility. 2022-064b Identify ineligible CHIP costs and return to the federal grantor.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2022-003. Capitation payments to MCOs represent approximately 60% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for individuals enrolled in managed care during fiscal 2022 approximated $1.9 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 303,301 Medicaid eligible individuals - approximately 91% of total Medicaid enrollees at June 30, 2022. These capitation payments related to the following managed care programs within the State?s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. These programs, however, operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Center for Medicare & Medicaid Services overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are impacted by the control deficiencies described in Finding 2022-003 relating to the State?s financial reporting and Finding 2022-065 relating to noncompliance with the federal requirements for MCO audit provisions. These deficiencies also impact controls over federal compliance with allowable cost principles in relation to managed care contract settlements. Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: Finding 2022-003, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls ? Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. Finding 2022-065, Managed Care Financial Audit ? CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State?s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2021 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2021 contract settlements. [See Schedule of Findings and Questioned Costs for table.] We also assessed controls to ensure the timely termination of eligibility for deceased individuals to prevent continued payment of managed care capitation after death. We found that the State had not ended eligibility in the MMIS for 127 individuals within 90 days of the date of death. This control deficiency resulted in managed care capitation totaling $467,740 (federal share - $391,994) paid for individuals who had been deceased for more than 90 days. Of that group, 77 individuals remained Medicaid active with capitation paid to the managed care organization for more than 180 days after death. While the State can recoup the capitation once the individual?s death is recorded and eligibility is ended, the delay in termination for deceased individuals further weakens overall controls relating to managed care contract settlements. The State should improve controls to ensure that capitation payments are not continued for Medicaid recipients after death. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: $391,994 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-067a Improve controls over compliance requirements for the allowability of federal expenditures by addressing related internal control deficiencies (including system limitations) over financial reporting and federal noncompliance that specifically impacts financial settlements with managed care organizations. 2022-067b Improve controls to ensure the timely termination of Medicaid eligibility for deceased individuals to prevent continued payment of managed care capitation after death.
FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State?s RIFANS accounting system is the official record of federal program expenditures and therefore should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures to authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2022 noted the following reporting deficiencies: ? Approximately $3.3 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. ? Reconciling administrative expenditures to the State Accounting System was not performed consistently by the State?s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. ? Amounts reported for benefit expenditures on the CMS-64 Report were in excess of amounts reported in the State Accounting System. While EOHHS believes this was caused by new reporting for reinvestments of the additional 10% federal reimbursement on home and community based services, EOHHS?s reconciliation between the CMS-64 Report and the State Accounting System did not provide documentation supporting the federal reporting difference. ? Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS-64 Report requirements. EOHHS, however, needs to consider whether other healthcare related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State Accounting System represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS-64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-068a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State?s integrated eligibility system. 2022-068b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2022-068c Conduct an analysis of healthcare related fees and taxes levied by the State to determine if other healthcare related taxes require reporting in the CMS-64 Report.
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR INDIVIDUALS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payor of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible individuals. For individuals enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. The State does not share identified TPL information with the MCOs. Criteria: 42 CFR section 433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island?s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid Program. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: Identification of TPL by managed care organizations - During fiscal 2022, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (individuals with Medicaid eligibility for the entire year) had verified TPL coverage that was similar to their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that possibly could have been cost avoided. We selected a random sample of encounter claims where the State reported verified third party liability coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Of the twenty instances where the State had verified insurance coverage for Medicaid individuals with three MCOs, those MCOs only had record of TPL in four of the instances. Validity of State Reported TPL Data - As a follow-up to the low number of TPL segments confirmed by the MCOs, we did an analysis of the State?s verified third party insurance data to evaluate its accuracy. With a concern that the State?s reported TPL verification was not completely reliable, we held discussions with EOHHS regarding the issue. EOHHS indicated that concerns had recently surfaced in regards to reported TPL in the MMIS. EOHHS had concerns that while the TPL data match was effectively identifying TPL segments, the interface with the MMIS was less effective in terminating active segments when coverage ended. Based on that concern, we performed an age analysis on current validated TPL segments at June 30, 2022 to evaluate EOHHS?s concerns. Our analysis was based on the likelihood that the older the TPL segment was, the more likely it was that the reported insurance coverage may no longer be effective. Our analysis identified that 62% of the reported 87,138 verified active TPL segments reported in the MMIS as of June 30, 2022 were older than 3 years old, and 36% were older than 5 years old. The high percentage of older TPL segments supports the concerns shared by EOHHS. Approximately 10% of reported verified TPL segments were older than 10 years. While possible, the likelihood that a verified TPL segment would not have any change required (i.e., policy number, coverage type, plan change) over those periods is questionable. Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2022 continue to support the need for immediate action by EOHHS. Immediate corrective actions are needed to first validate TPL data currently residing in the MMIS system. EOHHS should immediately require its MMIS contractor to validate TPL segments for active Medicaid recipients. Once validated, the MMIS contractor should address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. Additionally, once the validated TPL data segments are identified for current Medicaid recipients, that data should be shared with the managed care organizations to ensure that those entities have updated recipient TPL data. EOHHS should also implement enhanced monitoring procedures over MCO TPL identification and cost avoidance to ensure that the MCOs are complying with federal regulations and contractual agreements. Cause: Control deficiencies resulting in inaccurate TPL data residing in the MMIS. Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-069a Coordinate with the MMIS contractor to validate TPL segments for active Medicaid recipients and address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. 2022-069b Share and match identified TPL coverage with the MCOs upon enrollment and as an individual?s TPL status changes. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CONTROLS OVER CRITICAL SYSTEM DATA INTERFACES WITHIN THE RIBRIDGES ELIGIBILITY SYSTEM Controls need to be improved to ensure that critical external data interfaces are operating as designed within the RIBridges system. Background: The State?s integrated eligibility system, RIBridges, was designed to utilize various external data sources interfaced with the system to validate applicant data. The objective was to eliminate the need for applicants to provide documentation supporting their eligibility for Medicaid or CHIP if the information was validated by independent external data sources. RIBridges utilizes the State Wage Information Collection Agency (SWICA) data, quarterly employer wage data, provided by the RI Department of Labor and Training (DLT) to validate reported applicant income. SWICA represents a critical external data source and interface within RIBridges. Criteria: The State selected SWICA data as a primary source to validate reported income by Medicaid and CHIP applicants. Federal regulations require that States maintain effective internal controls to ensure compliance with federal eligibility requirements for both programs, including the verification of applicant income. Inclusive in that responsibility are monitoring procedures to ensure that controls are operating as designed. Condition: Certain data mining procedures applied in conjunction with the testing of Medicaid eligibility for fiscal 2022, identified a significant number of State employees receiving Medical Assistance during the year. Analysis of the identified cases found that most were eligible for Medicaid or remained eligible due to federal restrictions on eligibility terminations during the public health emergency period. Our detailed case reviews, however, did identify some cases where known employee wages were not reporting through the SWICA interface as expected. Further follow-up with EOHHS staff identified that the SWICA interface was not operating as designed. Cause: The SWICA interface was not operating in accordance with its design objectives. DLT was reporting no income for employers with late quarterly filings. DLT was also not updating the data file periodically to populate late employer quarterly filings. Significant additional monitoring is needed over critical external data interfaces to ensure operational effectiveness. Effect: Eligibility for Medical Assistance for ineligible applicants. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-070a Correct operational deficiencies identified within RIBridges income validation interface. 2022-070b Implement monitoring procedures for critical external interfaces designed within RIBridges.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2022-003. Capitation payments to MCOs represent approximately 60% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for individuals enrolled in managed care during fiscal 2022 approximated $1.9 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 303,301 Medicaid eligible individuals - approximately 91% of total Medicaid enrollees at June 30, 2022. These capitation payments related to the following managed care programs within the State?s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. These programs, however, operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Center for Medicare & Medicaid Services overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are impacted by the control deficiencies described in Finding 2022-003 relating to the State?s financial reporting and Finding 2022-065 relating to noncompliance with the federal requirements for MCO audit provisions. These deficiencies also impact controls over federal compliance with allowable cost principles in relation to managed care contract settlements. Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: Finding 2022-003, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls ? Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. Finding 2022-065, Managed Care Financial Audit ? CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State?s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2021 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2021 contract settlements. [See Schedule of Findings and Questioned Costs for table.] We also assessed controls to ensure the timely termination of eligibility for deceased individuals to prevent continued payment of managed care capitation after death. We found that the State had not ended eligibility in the MMIS for 127 individuals within 90 days of the date of death. This control deficiency resulted in managed care capitation totaling $467,740 (federal share - $391,994) paid for individuals who had been deceased for more than 90 days. Of that group, 77 individuals remained Medicaid active with capitation paid to the managed care organization for more than 180 days after death. While the State can recoup the capitation once the individual?s death is recorded and eligibility is ended, the delay in termination for deceased individuals further weakens overall controls relating to managed care contract settlements. The State should improve controls to ensure that capitation payments are not continued for Medicaid recipients after death. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: $391,994 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-067a Improve controls over compliance requirements for the allowability of federal expenditures by addressing related internal control deficiencies (including system limitations) over financial reporting and federal noncompliance that specifically impacts financial settlements with managed care organizations. 2022-067b Improve controls to ensure the timely termination of Medicaid eligibility for deceased individuals to prevent continued payment of managed care capitation after death.
FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State?s RIFANS accounting system is the official record of federal program expenditures and therefore should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures to authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2022 noted the following reporting deficiencies: ? Approximately $3.3 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. ? Reconciling administrative expenditures to the State Accounting System was not performed consistently by the State?s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. ? Amounts reported for benefit expenditures on the CMS-64 Report were in excess of amounts reported in the State Accounting System. While EOHHS believes this was caused by new reporting for reinvestments of the additional 10% federal reimbursement on home and community based services, EOHHS?s reconciliation between the CMS-64 Report and the State Accounting System did not provide documentation supporting the federal reporting difference. ? Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS-64 Report requirements. EOHHS, however, needs to consider whether other healthcare related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State Accounting System represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS-64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-068a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State?s integrated eligibility system. 2022-068b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2022-068c Conduct an analysis of healthcare related fees and taxes levied by the State to determine if other healthcare related taxes require reporting in the CMS-64 Report.
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR INDIVIDUALS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payor of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible individuals. For individuals enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. The State does not share identified TPL information with the MCOs. Criteria: 42 CFR section 433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island?s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid Program. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: Identification of TPL by managed care organizations - During fiscal 2022, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (individuals with Medicaid eligibility for the entire year) had verified TPL coverage that was similar to their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that possibly could have been cost avoided. We selected a random sample of encounter claims where the State reported verified third party liability coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Of the twenty instances where the State had verified insurance coverage for Medicaid individuals with three MCOs, those MCOs only had record of TPL in four of the instances. Validity of State Reported TPL Data - As a follow-up to the low number of TPL segments confirmed by the MCOs, we did an analysis of the State?s verified third party insurance data to evaluate its accuracy. With a concern that the State?s reported TPL verification was not completely reliable, we held discussions with EOHHS regarding the issue. EOHHS indicated that concerns had recently surfaced in regards to reported TPL in the MMIS. EOHHS had concerns that while the TPL data match was effectively identifying TPL segments, the interface with the MMIS was less effective in terminating active segments when coverage ended. Based on that concern, we performed an age analysis on current validated TPL segments at June 30, 2022 to evaluate EOHHS?s concerns. Our analysis was based on the likelihood that the older the TPL segment was, the more likely it was that the reported insurance coverage may no longer be effective. Our analysis identified that 62% of the reported 87,138 verified active TPL segments reported in the MMIS as of June 30, 2022 were older than 3 years old, and 36% were older than 5 years old. The high percentage of older TPL segments supports the concerns shared by EOHHS. Approximately 10% of reported verified TPL segments were older than 10 years. While possible, the likelihood that a verified TPL segment would not have any change required (i.e., policy number, coverage type, plan change) over those periods is questionable. Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2022 continue to support the need for immediate action by EOHHS. Immediate corrective actions are needed to first validate TPL data currently residing in the MMIS system. EOHHS should immediately require its MMIS contractor to validate TPL segments for active Medicaid recipients. Once validated, the MMIS contractor should address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. Additionally, once the validated TPL data segments are identified for current Medicaid recipients, that data should be shared with the managed care organizations to ensure that those entities have updated recipient TPL data. EOHHS should also implement enhanced monitoring procedures over MCO TPL identification and cost avoidance to ensure that the MCOs are complying with federal regulations and contractual agreements. Cause: Control deficiencies resulting in inaccurate TPL data residing in the MMIS. Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-069a Coordinate with the MMIS contractor to validate TPL segments for active Medicaid recipients and address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. 2022-069b Share and match identified TPL coverage with the MCOs upon enrollment and as an individual?s TPL status changes. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CONTROLS OVER CRITICAL SYSTEM DATA INTERFACES WITHIN THE RIBRIDGES ELIGIBILITY SYSTEM Controls need to be improved to ensure that critical external data interfaces are operating as designed within the RIBridges system. Background: The State?s integrated eligibility system, RIBridges, was designed to utilize various external data sources interfaced with the system to validate applicant data. The objective was to eliminate the need for applicants to provide documentation supporting their eligibility for Medicaid or CHIP if the information was validated by independent external data sources. RIBridges utilizes the State Wage Information Collection Agency (SWICA) data, quarterly employer wage data, provided by the RI Department of Labor and Training (DLT) to validate reported applicant income. SWICA represents a critical external data source and interface within RIBridges. Criteria: The State selected SWICA data as a primary source to validate reported income by Medicaid and CHIP applicants. Federal regulations require that States maintain effective internal controls to ensure compliance with federal eligibility requirements for both programs, including the verification of applicant income. Inclusive in that responsibility are monitoring procedures to ensure that controls are operating as designed. Condition: Certain data mining procedures applied in conjunction with the testing of Medicaid eligibility for fiscal 2022, identified a significant number of State employees receiving Medical Assistance during the year. Analysis of the identified cases found that most were eligible for Medicaid or remained eligible due to federal restrictions on eligibility terminations during the public health emergency period. Our detailed case reviews, however, did identify some cases where known employee wages were not reporting through the SWICA interface as expected. Further follow-up with EOHHS staff identified that the SWICA interface was not operating as designed. Cause: The SWICA interface was not operating in accordance with its design objectives. DLT was reporting no income for employers with late quarterly filings. DLT was also not updating the data file periodically to populate late employer quarterly filings. Significant additional monitoring is needed over critical external data interfaces to ensure operational effectiveness. Effect: Eligibility for Medical Assistance for ineligible applicants. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-070a Correct operational deficiencies identified within RIBridges income validation interface. 2022-070b Implement monitoring procedures for critical external interfaces designed within RIBridges.
CONTROLS OVER LONG-TERM CARE FACILITY RATE SETTING The State?s current practices for long-term care facility rate setting do not fully comply with its State plan provisions requiring an annual review of nursing facility rates and related provider cost report audit requirements. Background: Nursing Facility Reimbursement - EOHHS reimburses long-term care providers using a full Resource Utilization Groups (?RUG?) system. Under the RUG system, each long-term care facility has a base per diem rate that applies to all residents that is comprised of direct nursing care and other direct care costs, indirect care, fair rental value, property taxes, direct care and gain/loss policy adjustors, and a provider assessment. Each long-term care resident is assigned a RUG score that reflects the individual?s expected resource utilization. A RUG score multiplier adjusts the provider base rate to a recipient-specific per diem rate to reflect the anticipated costs of caring for each resident. The CMS-approved RUG methodology requires that EOHHS conduct a rate review every three years (at a minimum) to determine if the original cost components used to establish the base rates are still appropriate. The State Plan also requires audits of the financial and statistical records of each participating provider. Criteria: 42 CFR section 447.250 requires that the State Plan provide for payment of hospital and long-term care facility services through rates that the State determines are reasonable and adequate to meet the costs that must be incurred by efficiently and economically operated facilities to provide services in conformity with State and Federal laws, regulations, and quality and safety standards. Condition: Nursing Facility Reimbursement ? EOHHS has not formalized its triennial rate review required by CMS in its approval of the RUG methodology. EOHHS has also not complied with the periodic audit requirements of the financial records of providers as required by the CMS-approved State Plan. Cause: EOHHS has not documented its compliance with annual rate review procedures detailed in its approved State Plan for long-term care facility rate setting. The State has also not performed long-term care facility (nursing home) audits detailed in the State Plan. Effect: Rate setting procedures for long-term care providers do not fully comply with approved State Plan requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-071 Document compliance with the Federal and State plan rate review and periodic audit requirements for long-term care providers or amend the State Plan with CMS approval to align to current practices.
MEDICAID NATIONAL CORRECT CODING INITIATIVE (NCCI) Controls to ensure NCCI claims processing edits are functioning over Medicaid activity require improvement to ensure compliance with federal regulations. Criteria: Federal regulations (Section 1903(r) of the Social Security Act) requires State Medicaid agencies to incorporate NCCI methodologies into State Medicaid programs. Application of the NCCI methodologies to fee-for-service claims processed by the State Medicaid Agency (SMA) are required. Fee-for-service claims processed by other entities, such as managed care organizations are applicable only if required by the SMA. Condition: While our test claim procedures found the NCCI edits to be operating as designed in the MMIS, our review of the State?s application of NCCI edit methodologies noted the following areas for program improvements: a. The State should consider incorporating review of the application of NCCI edits into the scope of the Service Organization Control Review conducted annually of the State?s claims processing system and related fiscal agent controls to ensure continued operation of the NCCI federal requirements within the MMIS. The NCCI edits were reviewed upon initial implementation and found to be operational; however, controls should be improved to ensure that those edits remain operational on an annual basis. b. It was unclear whether Medicaid claims processing by the State?s MCOs applied the NCCI methodologies. Claims processed by MCOs represent the majority of program expenditures within the State Medicaid program. Managed care contracts did not specifically require application of NCCI edits within the MCO claims processing systems. EOHHS should consider whether to formalize this requirement going forward to apply these edits to a material segment of Medicaid expenditures. c. We noted that the NCCI edits were not applied in the MMIS in the order specified by the federal regulations; however, we do not believe this had a significant impact on compliance. d. For some of our individual case tests, the MMIS did not reject certain procedure to procedure edits that are included in the NCCI edits. The MMIS contractor could not provide a specific reason as to why these edits were not performing as expected in the test environment. Our analysis of actual claim edits during the year did include several procedure-to-procedure edits that were denied by the MMIS so it was unclear as to why certain specific procedure-to-procedure edits were not functioning as expected in the test environment. Cause: Lack of NCCI edit monitoring procedures by EOHHS and limited instances of noncompliance with the NCCI Medicaid Technical Guidance. Effect: Potential noncompliance with NCCI special test and provision federal requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-072a Include review of the application of NCCI edits into the scope of the Service Organization Control Review conducted annually of the State?s claims processing system and related fiscal agent controls to ensure continued operation of the NCCI federal requirements within the MMIS. 2022-072b Ensure that the State?s procurement of a new Medicaid Management Information System includes the requirements outlined in the NCCI Medicaid Technical Guidance issued by CMS. 2022-072c Consider in future MCO contract procurements, the benefits of mandating MCOs to implement NCCI edits within their claim processing systems to enhance program integrity over managed care claiming.
SERVICES PROVIDED TO CHILDREN IN THE STATE?S CUSTODY BY THE DEPARTMENT OF CHILDREN, YOUTH, AND FAMILIES (DCYF) BILLED TO MEDICAID Certain psychiatric residential treatment facility (PRTF) services provided to children in the State?s custody have been charged to Medicaid in fiscal 2022 in accordance with a methodology that is pending State Plan Approval. Controls over other services provided to children in the State?s custody would be improved if processed through the Medicaid Management Information System (MMIS). Background: EOHHS, the Single State Medicaid Agency, administers claiming to Medicaid from other health and human service State agencies (such as DCYF) through the execution of Interagency Service Agreements (ISAs). The ISA provides approval by the Single State Medicaid Agency that the proposed services are allowable and the necessary requirements that the other agency must comply with to support the allowability of the claims to Medicaid. Services authorized by the ISAs should be claimed in accordance with approved State Plan requirements. PRTF services (which began in fiscal 2020) claimed by DCYF to Medicaid are an identified service within the ISA. The approval to claim these services based on an all-inclusive rate determined through a cost-based methodology is still pending with the Centers for Medicare and Medicaid Services (CMS). In fiscal 2022, the reimbursement rate was established based on a budget submitted by the service provider. Criteria: Federal approval to reimburse PRTF service providers based on a cost reimbursement methodology is currently pending with CMS. Reimbursing providers in accordance with an approved State Plan methodology is a requirement for considering the allowability of federal expenditures. Condition: DCYF implemented psychiatric residential treatment facility (PRTF) services during fiscal 2020 to provide a current level of service to children in the State?s custody that was previously lacking. Previously, DCYF allocated claiming for all contracted youth placement providers to Medicaid based on a time study methodology (partial charging, previously based on underlying time study allocation for treatment and assessment component of service provided). PRTF placements were a change in that certified and licensed facilities would be charged at 100% of the contracted per diem rate (set based on a cost reimbursement methodology) to Medicaid. Medicaid reimbursements have been made to DCYF since inception based on the new methodology, even though State Plan approval of that cost reimbursement methodology is still pending. DCYF was reimbursed approximately $3.9 million for PRTF services provided to children in the State?s custody during fiscal 2022. During our audit, we also noted that approximately $19 million in other services to children in the State?s custody are being claimed to Medicaid through journal entries in the State Accounting System. Controls over these services would be greatly enhanced if these providers submitted claims to the MMIS directly for reimbursement. Allowing fee-for-service claiming to be reimbursed by Medicaid external to the MMIS significantly weakens program controls. Cause: Medicaid reimbursements of PRTF services to DCYF during fiscal 2022 were based on a reimbursement methodology which is pending State Plan Amendment approval by CMS. Control weaknesses exist when Medicaid claiming is not processed through the MMIS. Effect: Potential noncompliance with federal regulations for allowable costs/cost principles. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-073a Ensure that PRTF services are reimbursed to DCYF in accordance with the currently approved Medicaid State Plan. 2022-073b Ensure that allowable medical services provided by DCYF providers are billed directly to the MMIS and subject to all designed claims processing, recipient eligibility, and provider eligibility controls.
ALLOWABLE COSTS ? MEDICAL ASSISTANCE Controls need to be improved to ensure that certain program expenditures comply with federal allowable cost requirements. Criteria: Section 200.403 of the Uniform Guidance requires that costs conform to limitations set forth in the Uniform Guidance as to types or amounts of cost items and that such costs should be adequately documented. Section 200.410 of the Uniform Guidance indicates that payments made for costs determined to be unallowable must be refunded to the Federal Government. Condition: Agreement and support of contractor costs to underlying contracts ? In reviewing certain sample contractor invoices charged to Medicaid, the supporting documentation provided did not agree with the underlying contract for detailed cost items or the support could not be readily agreed to the underlying contract (questioned costs - $4,043, federal share - $3,639). Local Education Agency Claiming Reviews ? EOHHS conducts periodic claiming reviews of Local Education Agency documentation for special education services reimbursed by Medicaid. In conjunction with those reviews, services that are not documented in accordance with the State?s policies and procedures for special education services are deemed unallowable. The OAG identified unallowable claiming totaling $37 (federal share- $23) that was not recouped from the provider and credited back to the federal grantor. Documentation of support on hand at the time of invoice review and approval by EOHHS was difficult to determine. Our review of most high dollar contractor invoices required significant follow-up with the agency to agree amounts to the underlying contracts. Cause: The documentation of invoice reviews (especially high dollar contractor invoices) by EOHHS was lacking in certain areas resulting in significant follow-up with the agency and identification of the questioned costs above. While EOHHS reviews of special education claiming were well documented, procedural improvements to ensure that recoupments are made for identified services deemed unallowable are needed. Effect: Failure to comply with Uniform Guidance requirements for the allowability of program expenditures. Questioned Costs: $3,662 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-074a Implement enhanced invoice review documentation requirements for significant contractor invoices to ensure compliance with Uniform Guidance requirements over allowable costs in the Medicaid Program. 2022-074b Improve procedures to ensure that recoupments are made for identified special education services deemed unallowable for Medicaid reimbursement.
COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2022-018. EOHHS, DHS and the Division of Information Technology must enhance systems security oversight over systems used to administer multiple federally funded programs to fully comply with federal regulations relating to ADP risk and system security review. The plan must be sufficiently comprehensive and include timely reaction to and consideration of identified security issues and risk factors. Criteria: Federal regulation 45 CFR section 95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems ? MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration?s Division of Information Technology ? DoIT) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: MMIS ? EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other monitoring procedures as required. Additionally, any deficiencies noted in the SOC reports must be evaluated timely and documented to determine if they affect any of the required controls over federal program administration. The MMIS SOC Report identified exceptions relating to password adequacy and configuration and program change controls. The review and consideration of the exceptions by EOHHS was not adequate. The SOC report also relies on several complementary user controls that EOHHS is responsible for ensuring are in place and operating effectively which require more formalized consideration. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS and improved monitoring of system access by the MMIS system contractor. RIBridges - Clearly documented roles and responsibilities outlining the coordination among EOHHS, DHS, and DoIT in managing IT security over RIBridges can be enhanced and formalized. In addition, the RIBridges contractor has delegated certain IT security responsibilities to a subcontractor and an understanding of IT security functions performed by those entities needs formalization and monitoring by the State. A SOC engagement (or equivalent evaluation) of the RIBridges system for controls in effect, although contractually required of the contractor, has not yet been performed. This SOC engagement, once performed, will provide additional information regarding contractor controls and contractor monitoring procedures over subcontractor delegated functions. This information will be vital to the State?s overall ADP risk analysis and system security monitoring process. DoIT currently relies significantly on ongoing Independent Verification & Validation (IV&V) monitoring services of RIBridges as well as MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations. Our review of the MARS-E evaluation for fiscal 2022 identified certain risks that included, but were not limited to, incident response, systems and communications protection, and system and information integrity that have not received timely corrective action by the State and its contractor. EOHHS, DHS, and DoIT should (1) consider the significance of these issues and impact on the State?s internal control procedures for the administration of the affected federal programs, and (2) require corrective action by the appropriate party (including contractors assigned those responsibilities). The federally required ADP risk analysis and system security considerations are consistent with an overall enterprise-wide need (as described in Finding 2022-018), to complete risk assessments for all IT systems within the State. The interconnectivity between RIBridges and the MMIS necessitates a more coordinated approach to information security over the systems than what currently exists. A more formalized plan that meets the requirement of a comprehensive risk assessment and system security plan would also allow the State to ensure that the proper information system security resources are applied effectively over both systems. Since the State?s information system security resources are within DoIT, involving those resources in the overall consideration of IT security for the MMIS would be beneficial. Cause: Deficiencies in the State?s current policies and procedures relating to ADP Risk Analysis and System Security Review result in identified IT security deficiencies not being considered and addressed in a timely manner. Effect: Failure to address timely IT security deficiencies relating to ADP risk analysis and system security review requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-040a Enhance compliance with federal ADP Risk Analysis and System Security Review requirements by creating a comprehensive, integrated plan for RIBridges and the MMIS. Document the roles and responsibilities of EOHHS, DHS, DoIT, and contractors (and related subcontractors) in conjunction with the plan development. 2022-040b Ensure that the formalized plan includes a comprehensive risk assessment for both systems (RIBridges and MMIS), critical controls deemed effective in mitigating those risks, and specific monitoring procedures to ensure the effective operation of those policies and procedures, including reliance on external contract services when required.
MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal regulations requiring States to implement certain program integrity safeguards when administering Medicaid managed care programs. Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: ? 42 CFR 438.3(m) Audited financial reports. ?The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.? ? 42 CFR 438.602(e) Periodic audits. ?The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.? Condition: Federal program integrity requirements including required audits of MCO financial and encounter data have not been implemented by the State. These requirements are effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the requirements have not been complied with and policies and procedures specifically outlining the scope of the audits to be performed have not been documented. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-065a Improve required contract language for required MCO financial audits to ensure compliance with federal requirements. 2022-065b Implement policies and procedures to comply with federal regulations for MCO financial audits.
MEDICAID MANAGED CARE ORGANIZATIONS ? PROVIDER ELIGIBILITY The State began procedures for the screening, enrollment, and revalidation of providers used in managed care organization (MCO) networks in fiscal 2022; however, a majority of MCO providers remained outstanding at year-end and thus the State did not materially comply with these federal requirements relating to provider eligibility. Criteria: 42 CFR Section 438.602, titled Managed Care, Additional Program Integrity Safeguards, State Responsibilities requires the State to comply with the following sections relating to provider eligibility: ?(b) Screening and enrollment and revalidation providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section for up to 120 days but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120-day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ?438.608(c). (d) Federal database checks. Consistent with the requirements at ?455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ?438.610(c).? Condition: The Medicaid and CHIP Managed Care Final Rule implemented new screening, enrollment, and revalidation requirements for providers of managed care organizations operating within these federal programs. These requirements became effective for fiscal 2019, however, EOHHS had not yet materially complied with these new regulations through fiscal 2022. Cause: Failure to implement federal requirements by the required effective date. EOHHS implemented new procedures and began enrollment in fiscal 2022 but the majority (approximately 90%) of MCO providers were not enrolled as of June 30, 2022. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-066 Expedite implementation of procedures to comply with federal regulations for the screening, enrollment and revalidation of providers used in managed care organization networks.
CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2022-003. Capitation payments to MCOs represent approximately 60% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for individuals enrolled in managed care during fiscal 2022 approximated $1.9 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 303,301 Medicaid eligible individuals - approximately 91% of total Medicaid enrollees at June 30, 2022. These capitation payments related to the following managed care programs within the State?s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. These programs, however, operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Center for Medicare & Medicaid Services overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are impacted by the control deficiencies described in Finding 2022-003 relating to the State?s financial reporting and Finding 2022-065 relating to noncompliance with the federal requirements for MCO audit provisions. These deficiencies also impact controls over federal compliance with allowable cost principles in relation to managed care contract settlements. Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: Finding 2022-003, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls ? Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. Finding 2022-065, Managed Care Financial Audit ? CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State?s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2021 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2021 contract settlements. [See Schedule of Findings and Questioned Costs for table.] We also assessed controls to ensure the timely termination of eligibility for deceased individuals to prevent continued payment of managed care capitation after death. We found that the State had not ended eligibility in the MMIS for 127 individuals within 90 days of the date of death. This control deficiency resulted in managed care capitation totaling $467,740 (federal share - $391,994) paid for individuals who had been deceased for more than 90 days. Of that group, 77 individuals remained Medicaid active with capitation paid to the managed care organization for more than 180 days after death. While the State can recoup the capitation once the individual?s death is recorded and eligibility is ended, the delay in termination for deceased individuals further weakens overall controls relating to managed care contract settlements. The State should improve controls to ensure that capitation payments are not continued for Medicaid recipients after death. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: $391,994 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-067a Improve controls over compliance requirements for the allowability of federal expenditures by addressing related internal control deficiencies (including system limitations) over financial reporting and federal noncompliance that specifically impacts financial settlements with managed care organizations. 2022-067b Improve controls to ensure the timely termination of Medicaid eligibility for deceased individuals to prevent continued payment of managed care capitation after death.
FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The State?s RIFANS accounting system is the official record of federal program expenditures and therefore should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures to authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2022 noted the following reporting deficiencies: ? Approximately $3.3 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. ? Reconciling administrative expenditures to the State Accounting System was not performed consistently by the State?s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. ? Amounts reported for benefit expenditures on the CMS-64 Report were in excess of amounts reported in the State Accounting System. While EOHHS believes this was caused by new reporting for reinvestments of the additional 10% federal reimbursement on home and community based services, EOHHS?s reconciliation between the CMS-64 Report and the State Accounting System did not provide documentation supporting the federal reporting difference. ? Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS-64 Report requirements. EOHHS, however, needs to consider whether other healthcare related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State Accounting System represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS-64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-068a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State?s integrated eligibility system. 2022-068b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2022-068c Conduct an analysis of healthcare related fees and taxes levied by the State to determine if other healthcare related taxes require reporting in the CMS-64 Report.
CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR INDIVIDUALS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payor of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible individuals. For individuals enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. The State does not share identified TPL information with the MCOs. Criteria: 42 CFR section 433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island?s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid Program. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: Identification of TPL by managed care organizations - During fiscal 2022, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (individuals with Medicaid eligibility for the entire year) had verified TPL coverage that was similar to their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that possibly could have been cost avoided. We selected a random sample of encounter claims where the State reported verified third party liability coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Of the twenty instances where the State had verified insurance coverage for Medicaid individuals with three MCOs, those MCOs only had record of TPL in four of the instances. Validity of State Reported TPL Data - As a follow-up to the low number of TPL segments confirmed by the MCOs, we did an analysis of the State?s verified third party insurance data to evaluate its accuracy. With a concern that the State?s reported TPL verification was not completely reliable, we held discussions with EOHHS regarding the issue. EOHHS indicated that concerns had recently surfaced in regards to reported TPL in the MMIS. EOHHS had concerns that while the TPL data match was effectively identifying TPL segments, the interface with the MMIS was less effective in terminating active segments when coverage ended. Based on that concern, we performed an age analysis on current validated TPL segments at June 30, 2022 to evaluate EOHHS?s concerns. Our analysis was based on the likelihood that the older the TPL segment was, the more likely it was that the reported insurance coverage may no longer be effective. Our analysis identified that 62% of the reported 87,138 verified active TPL segments reported in the MMIS as of June 30, 2022 were older than 3 years old, and 36% were older than 5 years old. The high percentage of older TPL segments supports the concerns shared by EOHHS. Approximately 10% of reported verified TPL segments were older than 10 years. While possible, the likelihood that a verified TPL segment would not have any change required (i.e., policy number, coverage type, plan change) over those periods is questionable. Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2022 continue to support the need for immediate action by EOHHS. Immediate corrective actions are needed to first validate TPL data currently residing in the MMIS system. EOHHS should immediately require its MMIS contractor to validate TPL segments for active Medicaid recipients. Once validated, the MMIS contractor should address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. Additionally, once the validated TPL data segments are identified for current Medicaid recipients, that data should be shared with the managed care organizations to ensure that those entities have updated recipient TPL data. EOHHS should also implement enhanced monitoring procedures over MCO TPL identification and cost avoidance to ensure that the MCOs are complying with federal regulations and contractual agreements. Cause: Control deficiencies resulting in inaccurate TPL data residing in the MMIS. Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-069a Coordinate with the MMIS contractor to validate TPL segments for active Medicaid recipients and address system deficiencies preventing closure of validated TPL segments when the related insurance coverage lapses. 2022-069b Share and match identified TPL coverage with the MCOs upon enrollment and as an individual?s TPL status changes. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs.
CONTROLS OVER CRITICAL SYSTEM DATA INTERFACES WITHIN THE RIBRIDGES ELIGIBILITY SYSTEM Controls need to be improved to ensure that critical external data interfaces are operating as designed within the RIBridges system. Background: The State?s integrated eligibility system, RIBridges, was designed to utilize various external data sources interfaced with the system to validate applicant data. The objective was to eliminate the need for applicants to provide documentation supporting their eligibility for Medicaid or CHIP if the information was validated by independent external data sources. RIBridges utilizes the State Wage Information Collection Agency (SWICA) data, quarterly employer wage data, provided by the RI Department of Labor and Training (DLT) to validate reported applicant income. SWICA represents a critical external data source and interface within RIBridges. Criteria: The State selected SWICA data as a primary source to validate reported income by Medicaid and CHIP applicants. Federal regulations require that States maintain effective internal controls to ensure compliance with federal eligibility requirements for both programs, including the verification of applicant income. Inclusive in that responsibility are monitoring procedures to ensure that controls are operating as designed. Condition: Certain data mining procedures applied in conjunction with the testing of Medicaid eligibility for fiscal 2022, identified a significant number of State employees receiving Medical Assistance during the year. Analysis of the identified cases found that most were eligible for Medicaid or remained eligible due to federal restrictions on eligibility terminations during the public health emergency period. Our detailed case reviews, however, did identify some cases where known employee wages were not reporting through the SWICA interface as expected. Further follow-up with EOHHS staff identified that the SWICA interface was not operating as designed. Cause: The SWICA interface was not operating in accordance with its design objectives. DLT was reporting no income for employers with late quarterly filings. DLT was also not updating the data file periodically to populate late employer quarterly filings. Significant additional monitoring is needed over critical external data interfaces to ensure operational effectiveness. Effect: Eligibility for Medical Assistance for ineligible applicants. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-070a Correct operational deficiencies identified within RIBridges income validation interface. 2022-070b Implement monitoring procedures for critical external interfaces designed within RIBridges.
CONTROLS OVER LONG-TERM CARE FACILITY RATE SETTING The State?s current practices for long-term care facility rate setting do not fully comply with its State plan provisions requiring an annual review of nursing facility rates and related provider cost report audit requirements. Background: Nursing Facility Reimbursement - EOHHS reimburses long-term care providers using a full Resource Utilization Groups (?RUG?) system. Under the RUG system, each long-term care facility has a base per diem rate that applies to all residents that is comprised of direct nursing care and other direct care costs, indirect care, fair rental value, property taxes, direct care and gain/loss policy adjustors, and a provider assessment. Each long-term care resident is assigned a RUG score that reflects the individual?s expected resource utilization. A RUG score multiplier adjusts the provider base rate to a recipient-specific per diem rate to reflect the anticipated costs of caring for each resident. The CMS-approved RUG methodology requires that EOHHS conduct a rate review every three years (at a minimum) to determine if the original cost components used to establish the base rates are still appropriate. The State Plan also requires audits of the financial and statistical records of each participating provider. Criteria: 42 CFR section 447.250 requires that the State Plan provide for payment of hospital and long-term care facility services through rates that the State determines are reasonable and adequate to meet the costs that must be incurred by efficiently and economically operated facilities to provide services in conformity with State and Federal laws, regulations, and quality and safety standards. Condition: Nursing Facility Reimbursement ? EOHHS has not formalized its triennial rate review required by CMS in its approval of the RUG methodology. EOHHS has also not complied with the periodic audit requirements of the financial records of providers as required by the CMS-approved State Plan. Cause: EOHHS has not documented its compliance with annual rate review procedures detailed in its approved State Plan for long-term care facility rate setting. The State has also not performed long-term care facility (nursing home) audits detailed in the State Plan. Effect: Rate setting procedures for long-term care providers do not fully comply with approved State Plan requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-071 Document compliance with the Federal and State plan rate review and periodic audit requirements for long-term care providers or amend the State Plan with CMS approval to align to current practices.
MEDICAID NATIONAL CORRECT CODING INITIATIVE (NCCI) Controls to ensure NCCI claims processing edits are functioning over Medicaid activity require improvement to ensure compliance with federal regulations. Criteria: Federal regulations (Section 1903(r) of the Social Security Act) requires State Medicaid agencies to incorporate NCCI methodologies into State Medicaid programs. Application of the NCCI methodologies to fee-for-service claims processed by the State Medicaid Agency (SMA) are required. Fee-for-service claims processed by other entities, such as managed care organizations are applicable only if required by the SMA. Condition: While our test claim procedures found the NCCI edits to be operating as designed in the MMIS, our review of the State?s application of NCCI edit methodologies noted the following areas for program improvements: a. The State should consider incorporating review of the application of NCCI edits into the scope of the Service Organization Control Review conducted annually of the State?s claims processing system and related fiscal agent controls to ensure continued operation of the NCCI federal requirements within the MMIS. The NCCI edits were reviewed upon initial implementation and found to be operational; however, controls should be improved to ensure that those edits remain operational on an annual basis. b. It was unclear whether Medicaid claims processing by the State?s MCOs applied the NCCI methodologies. Claims processed by MCOs represent the majority of program expenditures within the State Medicaid program. Managed care contracts did not specifically require application of NCCI edits within the MCO claims processing systems. EOHHS should consider whether to formalize this requirement going forward to apply these edits to a material segment of Medicaid expenditures. c. We noted that the NCCI edits were not applied in the MMIS in the order specified by the federal regulations; however, we do not believe this had a significant impact on compliance. d. For some of our individual case tests, the MMIS did not reject certain procedure to procedure edits that are included in the NCCI edits. The MMIS contractor could not provide a specific reason as to why these edits were not performing as expected in the test environment. Our analysis of actual claim edits during the year did include several procedure-to-procedure edits that were denied by the MMIS so it was unclear as to why certain specific procedure-to-procedure edits were not functioning as expected in the test environment. Cause: Lack of NCCI edit monitoring procedures by EOHHS and limited instances of noncompliance with the NCCI Medicaid Technical Guidance. Effect: Potential noncompliance with NCCI special test and provision federal requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-072a Include review of the application of NCCI edits into the scope of the Service Organization Control Review conducted annually of the State?s claims processing system and related fiscal agent controls to ensure continued operation of the NCCI federal requirements within the MMIS. 2022-072b Ensure that the State?s procurement of a new Medicaid Management Information System includes the requirements outlined in the NCCI Medicaid Technical Guidance issued by CMS. 2022-072c Consider in future MCO contract procurements, the benefits of mandating MCOs to implement NCCI edits within their claim processing systems to enhance program integrity over managed care claiming.
SERVICES PROVIDED TO CHILDREN IN THE STATE?S CUSTODY BY THE DEPARTMENT OF CHILDREN, YOUTH, AND FAMILIES (DCYF) BILLED TO MEDICAID Certain psychiatric residential treatment facility (PRTF) services provided to children in the State?s custody have been charged to Medicaid in fiscal 2022 in accordance with a methodology that is pending State Plan Approval. Controls over other services provided to children in the State?s custody would be improved if processed through the Medicaid Management Information System (MMIS). Background: EOHHS, the Single State Medicaid Agency, administers claiming to Medicaid from other health and human service State agencies (such as DCYF) through the execution of Interagency Service Agreements (ISAs). The ISA provides approval by the Single State Medicaid Agency that the proposed services are allowable and the necessary requirements that the other agency must comply with to support the allowability of the claims to Medicaid. Services authorized by the ISAs should be claimed in accordance with approved State Plan requirements. PRTF services (which began in fiscal 2020) claimed by DCYF to Medicaid are an identified service within the ISA. The approval to claim these services based on an all-inclusive rate determined through a cost-based methodology is still pending with the Centers for Medicare and Medicaid Services (CMS). In fiscal 2022, the reimbursement rate was established based on a budget submitted by the service provider. Criteria: Federal approval to reimburse PRTF service providers based on a cost reimbursement methodology is currently pending with CMS. Reimbursing providers in accordance with an approved State Plan methodology is a requirement for considering the allowability of federal expenditures. Condition: DCYF implemented psychiatric residential treatment facility (PRTF) services during fiscal 2020 to provide a current level of service to children in the State?s custody that was previously lacking. Previously, DCYF allocated claiming for all contracted youth placement providers to Medicaid based on a time study methodology (partial charging, previously based on underlying time study allocation for treatment and assessment component of service provided). PRTF placements were a change in that certified and licensed facilities would be charged at 100% of the contracted per diem rate (set based on a cost reimbursement methodology) to Medicaid. Medicaid reimbursements have been made to DCYF since inception based on the new methodology, even though State Plan approval of that cost reimbursement methodology is still pending. DCYF was reimbursed approximately $3.9 million for PRTF services provided to children in the State?s custody during fiscal 2022. During our audit, we also noted that approximately $19 million in other services to children in the State?s custody are being claimed to Medicaid through journal entries in the State Accounting System. Controls over these services would be greatly enhanced if these providers submitted claims to the MMIS directly for reimbursement. Allowing fee-for-service claiming to be reimbursed by Medicaid external to the MMIS significantly weakens program controls. Cause: Medicaid reimbursements of PRTF services to DCYF during fiscal 2022 were based on a reimbursement methodology which is pending State Plan Amendment approval by CMS. Control weaknesses exist when Medicaid claiming is not processed through the MMIS. Effect: Potential noncompliance with federal regulations for allowable costs/cost principles. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-073a Ensure that PRTF services are reimbursed to DCYF in accordance with the currently approved Medicaid State Plan. 2022-073b Ensure that allowable medical services provided by DCYF providers are billed directly to the MMIS and subject to all designed claims processing, recipient eligibility, and provider eligibility controls.
ALLOWABLE COSTS ? MEDICAL ASSISTANCE Controls need to be improved to ensure that certain program expenditures comply with federal allowable cost requirements. Criteria: Section 200.403 of the Uniform Guidance requires that costs conform to limitations set forth in the Uniform Guidance as to types or amounts of cost items and that such costs should be adequately documented. Section 200.410 of the Uniform Guidance indicates that payments made for costs determined to be unallowable must be refunded to the Federal Government. Condition: Agreement and support of contractor costs to underlying contracts ? In reviewing certain sample contractor invoices charged to Medicaid, the supporting documentation provided did not agree with the underlying contract for detailed cost items or the support could not be readily agreed to the underlying contract (questioned costs - $4,043, federal share - $3,639). Local Education Agency Claiming Reviews ? EOHHS conducts periodic claiming reviews of Local Education Agency documentation for special education services reimbursed by Medicaid. In conjunction with those reviews, services that are not documented in accordance with the State?s policies and procedures for special education services are deemed unallowable. The OAG identified unallowable claiming totaling $37 (federal share- $23) that was not recouped from the provider and credited back to the federal grantor. Documentation of support on hand at the time of invoice review and approval by EOHHS was difficult to determine. Our review of most high dollar contractor invoices required significant follow-up with the agency to agree amounts to the underlying contracts. Cause: The documentation of invoice reviews (especially high dollar contractor invoices) by EOHHS was lacking in certain areas resulting in significant follow-up with the agency and identification of the questioned costs above. While EOHHS reviews of special education claiming were well documented, procedural improvements to ensure that recoupments are made for identified services deemed unallowable are needed. Effect: Failure to comply with Uniform Guidance requirements for the allowability of program expenditures. Questioned Costs: $3,662 Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-074a Implement enhanced invoice review documentation requirements for significant contractor invoices to ensure compliance with Uniform Guidance requirements over allowable costs in the Medicaid Program. 2022-074b Improve procedures to ensure that recoupments are made for identified special education services deemed unallowable for Medicaid reimbursement.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for several programs during fiscal 2022. For some grants where the reporting requirement was applicable, no sub-award information was reported. [See Schedule of Findings and Questioned Costs for tables.] The State has not established statewide control procedures or monitoring to ensure FFATA reporting requirements are met by the various departments and agencies administering federal grants. Training to enhance awareness and compliance by State departments and agencies is needed. Cause: Centralized statewide controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: The State did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATIONS 2022-038a Establish statewide policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. 2022-038b Implement FFATA training for departments and agencies administering federal programs to enhance awareness and compliance.
SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State currently relies on the specific grantee agencies to ensure compliance with federal regulations for subrecipient monitoring, when applicable to the underlying federal programs. There is no statewide monitoring to ensure that activities are performed to ensure compliance with federal regulations. Criteria: 2 CFR 200.332(d) ?Requirements for pass-through entities?, requires that all pass-through entities must ?monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.? That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award.? Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed the subrecipient?s Single Audit, when applicable, or performed other required monitoring activities to comply with federal regulations. For these programs, the following results, specific to agency reviews of financial and performance reports, were deemed to be material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] For subrecipients that were not required to have Single Audits performed, agencies also did not perform required monitoring procedures, which could have included monitoring the subrecipient?s use of federal awards through reporting, site visits, regular contact, or other means to provide reasonable assurance that the subrecipient administers federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without the State identifying it in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2022-039 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring.
CONTROLS OVER PANDEMIC-RELATED EXPENDITURES ALLOCABLE TO MULTIPLE FEDERAL AWARDS The State had insufficient controls to ensure expenditures were not reimbursed from more than one award under federal programs with similar pandemic response related objectives. Background: The State received an unprecedented amount of federal assistance to respond to the effects of the global pandemic including $1.25 billion for the Coronavirus Relief Fund (CRF) pursuant to the CARES Act. Assistance was also received under the FEMA Stafford Act Disaster Grants program and the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program. Certain costs were reimbursable under any of these programs and federal guidance was continually evolving which resulted in changing direction as to which costs were to be applied to a specific federal award. As guidelines and circumstances changed expenditures were often applied to one funding source and then subsequently adjusted to another funding source. Adjustments of program expenditures between federal programs often overlapped fiscal years due to the length of the pandemic. Criteria: Expenditures may only be reimbursed from one federal award. Condition: Due to changing federal guidelines and the evolving State response to the pandemic, costs were often charged to one funding source and then later moved to another funding source. When expenditures are reclassified or reallocated within the RIFANS accounting system, journal entries are used to move the aggregate dollar activity; however, the original transaction (expenditure/disbursement) remains in the account originally charged offset by a credit. This process complicates the identification of the underlying expenditures reimbursed by the federal award and increases the risk that expenditures could be reimbursed from more than one federal award. During fiscal 2022, we noted the following adjustments to financial activity supporting the cited control deficiency: ? Approximately $6.0 million in expenditures were adjusted from ELC to FEMA, and $2.9 million in expenditures adjusted from FEMA to ELC, including $2.3 million that is identified as ineligible for reimbursement to FEMA?s Disaster Grants program. ? Approximately $7.0 million was adjusted from CRF to FEMA?s Disaster Grants program and another $1.9 million from FEMA?s Disaster Grants program to CRF. Of those, $423,902 were identified as ineligible for reimbursement to FEMA?s Disaster Grants program, including some from the prior fiscal year. Controls were insufficient to ensure that costs were not reimbursed from more than one federal award. The State?s process for recording accounting adjustments via aggregate dollar journal entries limits the effectiveness of controls to prevent duplicate reimbursement from federal funding sources. Reconciliations to adequately identify any potential duplicate reimbursements were incomplete during fiscal 2022 but continued after the close of the fiscal year. Numerous journal entries were subsequently processed in fiscal 2022 to adjust COVID-related activity, for expenditures claimed in fiscal 2021 and fiscal 2020, between federal funding sources (principally CRF, FEMA, and ELC). While we acknowledge that the State has performed significant reconciliation procedures to identify instances where expenditures were charged to multiple federal programs, the manually intensive nature of those procedures does not fully mitigate the risk of the control deficiency. Cause: Due to the rapid response required during the pandemic, the existence of multiple federal funding sources, and continually evolving federal guidance, costs were moved and adjusted in the accounting system to various funding sources, which increased the risk that a cost could be reimbursed from more than one federal award. Effect: Potential duplicate reimbursement of expenditures from more than one federal award. Potential of charging costs for unallowable activities to federal programs as the expenditure detail is not maintained when expenditures are adjusted in the accounting system. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2022-052 Ensure reconciliations and any required adjustments are complete to demonstrate that eligible COVID program costs were not reimbursed from more than one federal funding source.
FEDERAL FINANCIAL REPORTS AND QUARTERLY PROGRESS REPORTS RIEMA can improve its reporting function. Required federal financial reports for fiscal 2022 were not properly supported by the State?s accounting system. Quarterly progress reports contained comments that did not appear truly representative of the status of the specific projects at the end of the quarter. Criteria: Consistent with Uniform Guidance requirements, the State is required to complete the SF 425, Federal Financial Report, quarterly for the grant. The FFR should be sufficiently supported by the State?s accounting records. Additionally, 44 CFR ?206.204(f) requires that progress reports be submitted by grant recipients quarterly. The reports are to describe ?the status of those projects on which a final payment of the Federal share has not been made to the recipient and outline any problems or circumstances expected to result in noncompliance with the approved grant conditions.? Condition: We were unable to match amounts reported on each of the four quarterly SF-425 reports for fiscal 2022 to amounts included in the RIFANS accounting system. We noted variances between the amounts reported and both transactions in the RIFANS accounting system and obligations reported in FEMA?s grants portal. In certain instances, cash receipts were reported in quarters prior to the authorization in the FEMA grants portal and subsequent drawdown by the State. We separately performed testing of the quarterly progress reports for fiscal 2022. For the quarter ended June 30, 2022, we noted several projects with a status that costs were completed but not paid out to the recipient. Based on review of accounting records, these project costs were either allocated to the applicable State agency or paid to the recipient entity outside of the primary government (i.e., component unit, municipal government, non-profit organization) prior to the end of the quarter. Cause: RIEMA did not have procedures in place to ensure that federal reports were consistent with underlying supporting documentation (i.e., accounting system, agency tracking sheets). Effect: Expenditures reported on the SF-425 for this program were overstated. Quarterly progress reports did not accurately reflect the current status of open projects. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2022-075a Strengthen procedures for preparing federal financial reports to ensure that information reported is adequately supported and consistent with amounts included in the RIFANS accounting system. 2022-075b Submit revised SF-425 and quarterly progress reports to reflect corrected expenditures and drawdowns for fiscal 2022, as necessary.