Audit 27724

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Environmental Protection Finding 2022 ? 005: ALN 15.252 ? Abandoned Mine Land Reclamation A Material Weakness and Material Noncompliance Exist at the Department of Environmental Protection Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2021-004) Federal Grant Number(s) and Year(s): S21AF10015 (01/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 09/30/2023), S20AF20006 (01/01/2020 ?? 12/31/2022), S19AF20006 (01/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2022), S18AF20004 (11/01/2017 ?10/31/2023) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Department of Environmental Protection (DEP) administers the Abandoned Mine Land Reclamation (AMLR) program funded by the United States Department of the Interior (DOI). During the fiscal year ended June 30, 2022, DEP expended $49,400,302 within the AMLR program, of which $13,270,381 was paid to 18 subrecipients with whom DEP executed subrecipient agreements to provide abandoned mine land reclamation repairs and services throughout Pennsylvania. Our audit testing disclosed that DEP did not conduct risk assessments or program monitoring of these subrecipient expenditures during the fiscal year ended June 30, 2022, since DEP considered these entities to be contractors and not subrecipients. Based on a recent determination made by DEP, these entities should be categorized as subrecipients. As such, DEP began implementing procedures to ensure federal regulations are met regarding subrecipient agreements. However, these procedures were implemented subsequent to the fiscal year ended June 30, 2022. While Single Audits of the AMLR subrecipients may be conducted each year, this auditing activity does not compensate for the lack of during-the-award program monitoring, since the timing, focus, and scope of subrecipient auditing activities after year end are different than compliance monitoring to be performed by program officials during the year. Criteria: As part of administering the AMLR program, DEP must have policies, procedures, and controls in place to ensure compliance with federal requirements within contract requirements and regulations. 2 CFR Section 200.332, Requirements for pass through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521 [Management decision]. Finding 2022 ? 005: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in ?200.425 [Audit services]. The standard contract agreement between DEP and the local grantee states, in part: Audit/Compliance Review Requirements - The contractor must comply with all applicable federal and state grant requirements including the Single Audit Act Amendments of 1996; 2 CFR Part 200 as amended; and any other applicable law or regulation, and any amendment to such other applicable law or regulation that may be enacted or promulgated by the federal government. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: In previous years, DEP management considered these entities as contractors for whom subrecipient monitoring requirements were not applicable. However, based on recent determinations, DEP acknowledges these entities as subrecipients, not contractors, subject to federal subrecipient requirements. Effect: Without the completion of risk assessments and subrecipient monitoring, DEP cannot ensure compliance with federal statutes, regulations, and the terms and conditions of the subrecipient contracts, confirm that local subrecipients are performing satisfactory work, ensure the efficient use of program resources, and minimize the risk for fraud and abuse. Completing monitoring activities is essential for DEP to determine whether the local agencies are complying with federal regulations and spending grant funds appropriately. Recommendation: We recommend that DEP continue to develop and implement written policies and procedures for performing risk based during-the-award subrecipient monitoring and implement them immediately to ensure timely subrecipient compliance with federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: The Department of Environmental Protection agrees with the facts as presented in this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 007: ALN 21.023 ? COVID 19 ? Emergency Rental Assistance Program A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to Submission of Emergency Rental Assistance Monthly and Quarterly Reporting and Special Tests and Provisions Related to ERA Funds Reallocation (A Similar Condition Was Noted in Prior Year Finding 2021-006) Federal Grant Number(s) and Year(s): G019649899 (3/13/2020 ? 9/30/2025), G017649899 (3/13/2020 ? 9/30/2025) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirements: Reporting and Special Tests and Provisions related to ERA Funds Reallocation Condition: Emergency Rental Assistance (ERA) 1 and ERA 2 state, local, and territorial recipients were required to submit monthly and quarterly reports to the United States Department of the Treasury (US Treasury). The monthly reports are brief two-question updates through which ERA recipients provide US Treasury with very high-level counts of the numbers of households receiving assistance and the amounts of ERA funds distributed. The quarterly reports are in-depth reports with data on an array of programmatic and financial information to provide transparency in the use and progress of ERA funds. Monthly reports were required for each month of the fiscal year ended June 30, 2022 and were due 15 days after the end of the month. Quarterly reports were required for each quarter of the fiscal year ended June 30, 2022 and were due October 29, 2021, February 1, 2022, April 15, 2022, and July 15, 2022. As the direct recipient of ERA funds, the Department of Human Services (DHS) is responsible for ensuring the timeliness and accuracy of the report submissions. DHS obtained report information from subrecipients which was compiled and included in the submitted reports. The reports contained all required data elements, however, DHS did not implement policies and procedures to ensure the accuracy of the information reported by the counties. Therefore, DHS was unable to provide supporting documentation for amounts reported by county subrecipients on the reports or to demonstrate that they had reviewed and verified the accuracy of this information. In addition, DHS was unable to provide support for timely submission of monthly reports. Criteria: The Emergency Rental Assistance Program Reporting Guidance published by the US Treasury identifies several steps in the reporting process: ? Recipients gather and maintain required information such as counts of applicants and participants; amounts paid directly or indirectly to tenants, landlords, and utility/home energy providers; amounts paid to subrecipients and contractors; and administrative expenses. ? Recipients will need to communicate with and gather required information from their subrecipients and contractors, if applicable. ? After manually entering or uploading the report information, Recipients must review the information entered or submitted to the online reporting forms for any errors and completeness. Following completion of the report in Treasury?s portal, the Recipient?s designated Authorized Representative for Reporting must certify to the authenticity and accuracy of the information provided and formally submit the report to Treasury. Finding 2022 ? 007: (continued) The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the Emergency Rental Assistance Program, Special Tests and Provisions ? N. ERA Funds Reallocations, states in part: ? Financial information certified by grantees used by Treasury to make reallocation determinations must be accurate and excess funds that are subject to involuntary recapture must be returned to Treasury in accordance with Treasury?s confirmation letter. ? The financial information certified as part of reallocation includes monthly expenditure and cumulative obligations levels, as described in the Treasury reallocation guidance. ERA 1 expenditures reported monthly by the grantee are inputs to Treasury?s reallocation expenditure ratio. ERA1 obligations certified in the Request for Reallocated Funds form (1505-0266), including in the Request for Voluntarily Reallocated Funds, are inputs into determining eligibility to receive reallocated funds. ? Pursuant to section 501(d) of the Consolidated Appropriations Act, 2021, Treasury is required to reallocate ?excess? ERA 1 award funds. Treasury?s objective in reallocations is to ensure ERA 1 award funds remain available to grantees in accordance with their jurisdictional needs and demonstrated capacity to deliver assistance while the ERA appropriations remain available. 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS did not implement policies and procedures to ensure the accuracy of information reported by counties which was included on the reports. DHS also did not implement policies and procedures to ensure that it maintained documentation of timely submission. Effect: Without review and validation of the detail supporting the summary information reported by counties, the reports may have contained inaccurate information. Inaccurate and/or untimely submission of monthly reports could impact the US Treasury?s ability to reallocate ERA 1 award funds pursuant to section 501(d) of the 2021 Consolidated Appropriations Act. Recommendation: We recommend that DHS implement formal policies and procedures to verify the information reported by counties to be included on the reports. Reported amounts should be reviewed for accuracy before reports are submitted to US Treasury to ensure that reports filed are complete and accurate. We further recommend that DHS retains documentation supporting when reports are submitted, and that this documentation is available for audit. Finding 2022 ? 007: (continued) Agency Response: DHS agrees with this finding. Pennsylvania legislation directed DHS funds to all 67 counties including 18 counties that received direct federal funds. Each subgrantee reported information regarding metrics outlined by the 10th of the month for the prior month. DHS reconciles various metrics in order to comply with US Treasury?s deadline to report monthly on the 15th of the month for the prior month. Similar to other DHS programs, DHS has implemented an after-action review of information submitted, using a contracted vendor. DHS faced challenges implementing a program with 67 counties and no central eligibility determination system. DHS has learned that standing up the supportive services and multi-sector partnerships was challenging in the context of the global pandemic workforce shortages. This made DHS dependent on local county reports to maintain program oversight and compile statewide data for submission to US Treasury. DHS will strengthen this control as we plan for future emergency or pandemic programs related to rental assistance. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Governor?s Budget Office Finding 2022 ? 011: ALN 21.027 ? COVID 19 ? Coronavirus State and Local Fiscal Recovery Funds A Significant Deficiency and Noncompliance Exist Related to Preparation of the Interim Report Federal Grant Number(s) and Year(s): TN75GJE1S7G3 (3/03/2021 ? 12/31/2024) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Reporting Condition: The Coronavirus State and Local Fiscal Recovery Funds (SLFRF) program was established under the American Rescue Plan Act to provide support to state, territorial, local, and tribal governments in responding to the economic and public health impacts of the COVID-19 pandemic. The Commonwealth of Pennsylvania, as a recipient of SLFRF funding, was required to submit a one-time Interim Report with expenditures by expenditure category, which provides an overview of the status and use of program funds. The Office of the Budget, Governor?s Budget Office (GBO), excluded $14,481,522 from the Interim Report which represents expenditures that had been approved but not paid as of July 31, 2021. These transactions were included as expenditures in the Commonwealth?s accounting system as of July 31, 2021, but payment had not yet been issued. Per the United States Department of the Treasury?s (US Treasury) reporting guidance, this amount should have been included on the Interim Report as an obligation for the period ending July 31, 2021. Criteria: The SLFRF Compliance and Reporting Guidance, issued by the US Treasury on June 17, 2022, states in part: States ? were required to submit a one-time interim report with expenditures by Expenditure Category from the date of award to July 31, 2021, by August 31, 2021 or sixty (60) days after first receiving funding if the recipient?s date of award was between July 15, 2021 and October 15, 2021. The recipient was required to enter obligations and expenditures and, for each, select the specific expenditure category from the available options. The report is required to be submitted to the US Treasury?s SLFRF portal, and for reporting purposes, an expenditure is the amount that has been incurred as a liability of the entity (the service has been rendered or the good has been delivered to the entity), and an obligation is an order placed for property and services, contracts and subawards made, and similar transactions that require payment. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: When the Interim Report was prepared, GBO interpreted program reporting requirements to be that the expenditures and obligations reported should match the Non-Entitlement Units (NEU) reports the Commonwealth had on file with US Treasury. Therefore, GBO reported only disbursements issued by the Pennsylvania Treasury by July 31, 2021 and excluded expenditures incurred in the accounting system that had not yet been issued as of July 31, 2021. Effect: GBO did not fully report program obligations on the Interim Report as of July 31, 2021. Recommendation: We recommend that GBO report all transactions that have been expended and/or approved for payment in accordance with program reporting requirements. Finding 2022 ? 011: (continued) Agency Response: GBO agrees with this finding. Questioned Costs: None noted as the expenditures were subsequently reported to US Treasury in Project and Expenditure Reports. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Education Finding 2022 ? 004: ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER A Significant Deficiency and Noncompliance Exist at the Department of Education Related to Submission of GEER, ESSER, and CRRSA EANS Annual Reporting (A Similar Condition Was Noted in Prior Year Finding 2021-003) Federal Grant Number(s) and Year(s): S425D200028 (3/13/2020 ? 9/30/2024), S425D210028 (3/13/2020 ? 9/30/2024), S425U210028 (3/13/2020 ? 9/30/2024) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Reporting Condition: As the State Educational Agency (SEA), the Pennsylvania Department of Education (PDE) is required to submit annual data reports to the United States Department of Education (USDE) for the components of the Education Stabilization Fund (ESF) program. These reports support the annual collection of data pertaining to the uses of funds under the Governor?s Emergency Education Relief (GEER) Fund, Elementary and Secondary School Emergency Relief (ESSER) Fund, Coronavirus Response and Relief Supplemental Appropriations Act, 2021 ? Emergency Assistance to Non-Public Schools (CRRSA EANS) Program, and the American Rescue Plan ? Elementary and Secondary School Emergency Relief (ARP ESSER). USDE awards ESF grants to SEAs for the purpose of providing local educational agencies (LEAs), including charter schools that are LEAs, with emergency relief funds to address the impact of the Novel Coronavirus Disease 2019 (COVID-19) on elementary and secondary schools across the nation. LEAs must provide equitable services to students and teachers in non-public schools as required under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). During the fiscal year ended June 30, 2022, PDE was required to submit the ESSER and ARP ESSER annual report for the period October 1, 2020 through June 30, 2021 and the GEER and CRRSA EANS annual reports for the period July 1, 2020 through June 30, 2021. As the direct recipient of ESSER, ARP ESSER, GEER, and CRRSA EANS funds, PDE is responsible for ensuring the timeliness and accuracy of the annual report submissions. PDE obtained summary information from the LEAs to compile and submit the reports which contained all required data elements. However, PDE did not implement policies and procedures to ensure the accuracy of the information reported by the LEAs. Therefore, PDE was unable to provide supporting documentation for amounts reported by LEAs on the annual reports or to demonstrate that they had reviewed and verified the accuracy of this information. Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the Education Stabilization Fund, Section L.3.a, Reporting ? Special Reporting ? Annual Reporting ? SEA/Governor, states in part: ESSER, GEER, and [CRRSA] EANS grantees must submit an annual performance report (OMB No. 1810-0749 for ESSER; 1810-0748 for GEER; and 1810-0765 for EANS) with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Finding 2022 ? 004: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE did not implement policies and procedures to ensure the accuracy of information reported by LEAs which was included on the Annual Reports. Effect: Without review and validation of the detail supporting the summary information reported by LEAs, the Annual Reports may have contained inaccurate information. Recommendation: We recommend that PDE implement formal policies and procedures to verify the information reported by LEAs to be included on the Annual Reports. Reported amounts should be reviewed for accuracy before reports are submitted to USDE to ensure that reports filed are complete and accurate. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Education Finding 2022 ? 004: ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER A Significant Deficiency and Noncompliance Exist at the Department of Education Related to Submission of GEER, ESSER, and CRRSA EANS Annual Reporting (A Similar Condition Was Noted in Prior Year Finding 2021-003) Federal Grant Number(s) and Year(s): S425D200028 (3/13/2020 ? 9/30/2024), S425D210028 (3/13/2020 ? 9/30/2024), S425U210028 (3/13/2020 ? 9/30/2024) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Reporting Condition: As the State Educational Agency (SEA), the Pennsylvania Department of Education (PDE) is required to submit annual data reports to the United States Department of Education (USDE) for the components of the Education Stabilization Fund (ESF) program. These reports support the annual collection of data pertaining to the uses of funds under the Governor?s Emergency Education Relief (GEER) Fund, Elementary and Secondary School Emergency Relief (ESSER) Fund, Coronavirus Response and Relief Supplemental Appropriations Act, 2021 ? Emergency Assistance to Non-Public Schools (CRRSA EANS) Program, and the American Rescue Plan ? Elementary and Secondary School Emergency Relief (ARP ESSER). USDE awards ESF grants to SEAs for the purpose of providing local educational agencies (LEAs), including charter schools that are LEAs, with emergency relief funds to address the impact of the Novel Coronavirus Disease 2019 (COVID-19) on elementary and secondary schools across the nation. LEAs must provide equitable services to students and teachers in non-public schools as required under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). During the fiscal year ended June 30, 2022, PDE was required to submit the ESSER and ARP ESSER annual report for the period October 1, 2020 through June 30, 2021 and the GEER and CRRSA EANS annual reports for the period July 1, 2020 through June 30, 2021. As the direct recipient of ESSER, ARP ESSER, GEER, and CRRSA EANS funds, PDE is responsible for ensuring the timeliness and accuracy of the annual report submissions. PDE obtained summary information from the LEAs to compile and submit the reports which contained all required data elements. However, PDE did not implement policies and procedures to ensure the accuracy of the information reported by the LEAs. Therefore, PDE was unable to provide supporting documentation for amounts reported by LEAs on the annual reports or to demonstrate that they had reviewed and verified the accuracy of this information. Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the Education Stabilization Fund, Section L.3.a, Reporting ? Special Reporting ? Annual Reporting ? SEA/Governor, states in part: ESSER, GEER, and [CRRSA] EANS grantees must submit an annual performance report (OMB No. 1810-0749 for ESSER; 1810-0748 for GEER; and 1810-0765 for EANS) with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Finding 2022 ? 004: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE did not implement policies and procedures to ensure the accuracy of information reported by LEAs which was included on the Annual Reports. Effect: Without review and validation of the detail supporting the summary information reported by LEAs, the Annual Reports may have contained inaccurate information. Recommendation: We recommend that PDE implement formal policies and procedures to verify the information reported by LEAs to be included on the Annual Reports. Reported amounts should be reviewed for accuracy before reports are submitted to USDE to ensure that reports filed are complete and accurate. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Education Finding 2022 ? 004: ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER A Significant Deficiency and Noncompliance Exist at the Department of Education Related to Submission of GEER, ESSER, and CRRSA EANS Annual Reporting (A Similar Condition Was Noted in Prior Year Finding 2021-003) Federal Grant Number(s) and Year(s): S425D200028 (3/13/2020 ? 9/30/2024), S425D210028 (3/13/2020 ? 9/30/2024), S425U210028 (3/13/2020 ? 9/30/2024) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Reporting Condition: As the State Educational Agency (SEA), the Pennsylvania Department of Education (PDE) is required to submit annual data reports to the United States Department of Education (USDE) for the components of the Education Stabilization Fund (ESF) program. These reports support the annual collection of data pertaining to the uses of funds under the Governor?s Emergency Education Relief (GEER) Fund, Elementary and Secondary School Emergency Relief (ESSER) Fund, Coronavirus Response and Relief Supplemental Appropriations Act, 2021 ? Emergency Assistance to Non-Public Schools (CRRSA EANS) Program, and the American Rescue Plan ? Elementary and Secondary School Emergency Relief (ARP ESSER). USDE awards ESF grants to SEAs for the purpose of providing local educational agencies (LEAs), including charter schools that are LEAs, with emergency relief funds to address the impact of the Novel Coronavirus Disease 2019 (COVID-19) on elementary and secondary schools across the nation. LEAs must provide equitable services to students and teachers in non-public schools as required under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). During the fiscal year ended June 30, 2022, PDE was required to submit the ESSER and ARP ESSER annual report for the period October 1, 2020 through June 30, 2021 and the GEER and CRRSA EANS annual reports for the period July 1, 2020 through June 30, 2021. As the direct recipient of ESSER, ARP ESSER, GEER, and CRRSA EANS funds, PDE is responsible for ensuring the timeliness and accuracy of the annual report submissions. PDE obtained summary information from the LEAs to compile and submit the reports which contained all required data elements. However, PDE did not implement policies and procedures to ensure the accuracy of the information reported by the LEAs. Therefore, PDE was unable to provide supporting documentation for amounts reported by LEAs on the annual reports or to demonstrate that they had reviewed and verified the accuracy of this information. Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the Education Stabilization Fund, Section L.3.a, Reporting ? Special Reporting ? Annual Reporting ? SEA/Governor, states in part: ESSER, GEER, and [CRRSA] EANS grantees must submit an annual performance report (OMB No. 1810-0749 for ESSER; 1810-0748 for GEER; and 1810-0765 for EANS) with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Finding 2022 ? 004: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE did not implement policies and procedures to ensure the accuracy of information reported by LEAs which was included on the Annual Reports. Effect: Without review and validation of the detail supporting the summary information reported by LEAs, the Annual Reports may have contained inaccurate information. Recommendation: We recommend that PDE implement formal policies and procedures to verify the information reported by LEAs to be included on the Annual Reports. Reported amounts should be reviewed for accuracy before reports are submitted to USDE to ensure that reports filed are complete and accurate. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Education Finding 2022 ? 004: ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER A Significant Deficiency and Noncompliance Exist at the Department of Education Related to Submission of GEER, ESSER, and CRRSA EANS Annual Reporting (A Similar Condition Was Noted in Prior Year Finding 2021-003) Federal Grant Number(s) and Year(s): S425D200028 (3/13/2020 ? 9/30/2024), S425D210028 (3/13/2020 ? 9/30/2024), S425U210028 (3/13/2020 ? 9/30/2024) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Reporting Condition: As the State Educational Agency (SEA), the Pennsylvania Department of Education (PDE) is required to submit annual data reports to the United States Department of Education (USDE) for the components of the Education Stabilization Fund (ESF) program. These reports support the annual collection of data pertaining to the uses of funds under the Governor?s Emergency Education Relief (GEER) Fund, Elementary and Secondary School Emergency Relief (ESSER) Fund, Coronavirus Response and Relief Supplemental Appropriations Act, 2021 ? Emergency Assistance to Non-Public Schools (CRRSA EANS) Program, and the American Rescue Plan ? Elementary and Secondary School Emergency Relief (ARP ESSER). USDE awards ESF grants to SEAs for the purpose of providing local educational agencies (LEAs), including charter schools that are LEAs, with emergency relief funds to address the impact of the Novel Coronavirus Disease 2019 (COVID-19) on elementary and secondary schools across the nation. LEAs must provide equitable services to students and teachers in non-public schools as required under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). During the fiscal year ended June 30, 2022, PDE was required to submit the ESSER and ARP ESSER annual report for the period October 1, 2020 through June 30, 2021 and the GEER and CRRSA EANS annual reports for the period July 1, 2020 through June 30, 2021. As the direct recipient of ESSER, ARP ESSER, GEER, and CRRSA EANS funds, PDE is responsible for ensuring the timeliness and accuracy of the annual report submissions. PDE obtained summary information from the LEAs to compile and submit the reports which contained all required data elements. However, PDE did not implement policies and procedures to ensure the accuracy of the information reported by the LEAs. Therefore, PDE was unable to provide supporting documentation for amounts reported by LEAs on the annual reports or to demonstrate that they had reviewed and verified the accuracy of this information. Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the Education Stabilization Fund, Section L.3.a, Reporting ? Special Reporting ? Annual Reporting ? SEA/Governor, states in part: ESSER, GEER, and [CRRSA] EANS grantees must submit an annual performance report (OMB No. 1810-0749 for ESSER; 1810-0748 for GEER; and 1810-0765 for EANS) with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Finding 2022 ? 004: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE did not implement policies and procedures to ensure the accuracy of information reported by LEAs which was included on the Annual Reports. Effect: Without review and validation of the detail supporting the summary information reported by LEAs, the Annual Reports may have contained inaccurate information. Recommendation: We recommend that PDE implement formal policies and procedures to verify the information reported by LEAs to be included on the Annual Reports. Reported amounts should be reviewed for accuracy before reports are submitted to USDE to ensure that reports filed are complete and accurate. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 009: ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2021-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2021 ? 9/30/2022), 2205PA5ADM (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021), 2105PA5ADM (10/01/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid National Correct Coding Initiative (NCCI) methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS?s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS?s PROMISe vendor. During the fiscal year ended June 30, 2022, DHS did not ensure that its contract and amendments with the PROMISe vendor included two out of seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The two missing elements included: ? Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. ? Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. Finding 2022 ? 009: (continued) The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: DHS personnel added five of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to a PROMISe vendor contract amendment in 2022 but did not add the remaining two elements because they believed the elements were already covered by existing contract terms. Effect: Since DHS did not ensure two of the seven elements of the required NCCI Confidentiality Agreement were included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the two missing elements of the required NCCI Confidentiality Agreement are included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 009: ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2021-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2021 ? 9/30/2022), 2205PA5ADM (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021), 2105PA5ADM (10/01/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid National Correct Coding Initiative (NCCI) methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS?s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS?s PROMISe vendor. During the fiscal year ended June 30, 2022, DHS did not ensure that its contract and amendments with the PROMISe vendor included two out of seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The two missing elements included: ? Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. ? Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. Finding 2022 ? 009: (continued) The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: DHS personnel added five of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to a PROMISe vendor contract amendment in 2022 but did not add the remaining two elements because they believed the elements were already covered by existing contract terms. Effect: Since DHS did not ensure two of the seven elements of the required NCCI Confidentiality Agreement were included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the two missing elements of the required NCCI Confidentiality Agreement are included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 009: ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2021-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2021 ? 9/30/2022), 2205PA5ADM (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021), 2105PA5ADM (10/01/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid National Correct Coding Initiative (NCCI) methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS?s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS?s PROMISe vendor. During the fiscal year ended June 30, 2022, DHS did not ensure that its contract and amendments with the PROMISe vendor included two out of seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The two missing elements included: ? Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. ? Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. Finding 2022 ? 009: (continued) The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: DHS personnel added five of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to a PROMISe vendor contract amendment in 2022 but did not add the remaining two elements because they believed the elements were already covered by existing contract terms. Effect: Since DHS did not ensure two of the seven elements of the required NCCI Confidentiality Agreement were included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the two missing elements of the required NCCI Confidentiality Agreement are included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 009: ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2021-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2021 ? 9/30/2022), 2205PA5ADM (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021), 2105PA5ADM (10/01/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid National Correct Coding Initiative (NCCI) methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS?s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS?s PROMISe vendor. During the fiscal year ended June 30, 2022, DHS did not ensure that its contract and amendments with the PROMISe vendor included two out of seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The two missing elements included: ? Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. ? Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. Finding 2022 ? 009: (continued) The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: DHS personnel added five of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to a PROMISe vendor contract amendment in 2022 but did not add the remaining two elements because they believed the elements were already covered by existing contract terms. Effect: Since DHS did not ensure two of the seven elements of the required NCCI Confidentiality Agreement were included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the two missing elements of the required NCCI Confidentiality Agreement are included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 009: ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2021-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2021 ? 9/30/2022), 2205PA5ADM (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021), 2105PA5ADM (10/01/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid National Correct Coding Initiative (NCCI) methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS?s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS?s PROMISe vendor. During the fiscal year ended June 30, 2022, DHS did not ensure that its contract and amendments with the PROMISe vendor included two out of seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The two missing elements included: ? Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. ? Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. Finding 2022 ? 009: (continued) The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: DHS personnel added five of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to a PROMISe vendor contract amendment in 2022 but did not add the remaining two elements because they believed the elements were already covered by existing contract terms. Effect: Since DHS did not ensure two of the seven elements of the required NCCI Confidentiality Agreement were included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the two missing elements of the required NCCI Confidentiality Agreement are included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 008: ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) Department of Human Services Did Not Validate Financial Information as Part of Its On-Site Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2021-007) Federal Grant Number(s) and Year(s): 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1801PATANF (10/01/2017 ? 9/30/2018), 1701PATANF (10/01/2016 ? 9/30/2017) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: During the fiscal year ended June 30, 2022, the Department of Human Services (DHS) paid $79.5 million in Temporary Assistance for Needy Families (TANF) funding to subrecipients within the New Directions, Cash Grants, and Alternatives to Abortion appropriations (or 22.1 percent) out of total federal TANF expenditures of $360.2 million reported on the June 30, 2022 Schedule of Expenditures of Federal Awards. Our testing of DHS?s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2022 disclosed that DHS performed on-site monitoring for 20 out of 21 subrecipients selected for testing. The on-site monitoring that was performed consisted of reviews of program operations including design, data entry accuracy and timeliness, case management analysis, and program payment performance goals. The on-site monitoring also included a review of a sample of TANF recipient case files to ensure that the recipients? TANF activities were documented and accurately entered in the Commonwealth?s Workforce Development System. However, DHS?s monitoring procedures for the 20 subrecipients were not adequate as they did not include a review or monitoring of subrecipient financial records, which would provide an assessment of a subrecipient?s compliance with applicable federal regulations. Although DHS?s monitoring procedures include reviewing subrecipient completed questionnaires for selected subrecipients that had questions related to financial matters, DHS?s monitoring personnel did not review subrecipient financial records. For example, DHS did not perform procedures to ensure subrecipient invoices agreed to the books and records of the subrecipient and that the records were adequate to support the allowability of costs paid by DHS during the award period. In addition, DHS?s monitoring procedures did not include an evaluation of the operating effectiveness of DHS subrecipients? procedures to monitor Single Audits and any related findings. Our testing of the 21 subrecipients noted above included follow up on one subrecipient identified in the prior year finding as not being on-site monitored by DHS when the risk assessment warranted on-site monitoring. Our follow-up during the current audit period disclosed that DHS did not conduct on-site monitoring for this subrecipient during the fiscal year ended June 30, 2022. Since the on-site monitoring was not completed, internal control weaknesses, noncompliance, and questioned costs may have existed and remained undetected during the current audit period. This subrecipient received $980,923 of TANF funds during the fiscal year ended June 30, 2022. Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. Finding 2022 ? 008: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by ? 75.521 [Management decision]. 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in ?200.425 [Audit services]. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS planned to implement new during-the-award monitoring procedures to be used for the on-site monitoring of subrecipients, but these procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2022. Therefore, DHS has not implemented adequate during-the-award monitoring procedures of subrecipients to include testing of the financial records and the subrecipients? monitoring of Single Audits sufficient to ensure compliance with federal regulations. Regarding the one subrecipient for which on-site monitoring was not completed, DHS personnel stated that they are working with the subrecipient to obtain the necessary documentation to complete the on-site monitoring. Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by DHS management. Recommendation: DHS should strengthen its controls to ensure during-the-award monitoring of TANF subrecipients includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients? financial records and ensuring that all required Single Audits were obtained by DHS subrecipients. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 008: ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) Department of Human Services Did Not Validate Financial Information as Part of Its On-Site Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2021-007) Federal Grant Number(s) and Year(s): 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1801PATANF (10/01/2017 ? 9/30/2018), 1701PATANF (10/01/2016 ? 9/30/2017) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: During the fiscal year ended June 30, 2022, the Department of Human Services (DHS) paid $79.5 million in Temporary Assistance for Needy Families (TANF) funding to subrecipients within the New Directions, Cash Grants, and Alternatives to Abortion appropriations (or 22.1 percent) out of total federal TANF expenditures of $360.2 million reported on the June 30, 2022 Schedule of Expenditures of Federal Awards. Our testing of DHS?s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2022 disclosed that DHS performed on-site monitoring for 20 out of 21 subrecipients selected for testing. The on-site monitoring that was performed consisted of reviews of program operations including design, data entry accuracy and timeliness, case management analysis, and program payment performance goals. The on-site monitoring also included a review of a sample of TANF recipient case files to ensure that the recipients? TANF activities were documented and accurately entered in the Commonwealth?s Workforce Development System. However, DHS?s monitoring procedures for the 20 subrecipients were not adequate as they did not include a review or monitoring of subrecipient financial records, which would provide an assessment of a subrecipient?s compliance with applicable federal regulations. Although DHS?s monitoring procedures include reviewing subrecipient completed questionnaires for selected subrecipients that had questions related to financial matters, DHS?s monitoring personnel did not review subrecipient financial records. For example, DHS did not perform procedures to ensure subrecipient invoices agreed to the books and records of the subrecipient and that the records were adequate to support the allowability of costs paid by DHS during the award period. In addition, DHS?s monitoring procedures did not include an evaluation of the operating effectiveness of DHS subrecipients? procedures to monitor Single Audits and any related findings. Our testing of the 21 subrecipients noted above included follow up on one subrecipient identified in the prior year finding as not being on-site monitored by DHS when the risk assessment warranted on-site monitoring. Our follow-up during the current audit period disclosed that DHS did not conduct on-site monitoring for this subrecipient during the fiscal year ended June 30, 2022. Since the on-site monitoring was not completed, internal control weaknesses, noncompliance, and questioned costs may have existed and remained undetected during the current audit period. This subrecipient received $980,923 of TANF funds during the fiscal year ended June 30, 2022. Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. Finding 2022 ? 008: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by ? 75.521 [Management decision]. 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in ?200.425 [Audit services]. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS planned to implement new during-the-award monitoring procedures to be used for the on-site monitoring of subrecipients, but these procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2022. Therefore, DHS has not implemented adequate during-the-award monitoring procedures of subrecipients to include testing of the financial records and the subrecipients? monitoring of Single Audits sufficient to ensure compliance with federal regulations. Regarding the one subrecipient for which on-site monitoring was not completed, DHS personnel stated that they are working with the subrecipient to obtain the necessary documentation to complete the on-site monitoring. Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by DHS management. Recommendation: DHS should strengthen its controls to ensure during-the-award monitoring of TANF subrecipients includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients? financial records and ensuring that all required Single Audits were obtained by DHS subrecipients. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of Administration ? Office for Information Technology Department of Agriculture Finding 2022 ? 010: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) Controls Over Information Technology System Migration and Controls Over the Accountability of Donated Foods Need Improvement Federal Grant Number(s) and Year(s): 1PA300365 (01/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report and the Commodity Inventory Summary for Distributors and Processors generated in the computer application are used to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. As part of our audit procedures, we performed certain tests of information technology (IT) general controls for the fiscal year ended June 30, 2022. Our IT procedures for the CNC inventory application included a review of the controls over the migration of data, as well as a review of user acceptance testing of certain reports during a system upgrade to a new application platform in June 2022. Our procedures disclosed significant deficiencies in internal controls over testing of reports and the migration of inventory data from the old application platform to the new application platform by the Conservation and Environment (C&E) Delivery Center in the Office of Administration, Office for Information Technology (OA-OIT), that supports the IT systems used by BFA. Specifically, we found that migration of the data from the old application database to the new application database was not performed in accordance with established OA-OIT policy as follows: ? A migration audit plan checklist was not completed. ? A testing strategy and plan was not prepared and/or maintained to document the following: o What was to be tested and by whom; o Test environment requirements, configurations, and preparations; o Test pass/fail criteria; o Test and validation checklists; and o Test result reviews and approvals. ? Reports that were used in the side-by-side comparison of the old system to the new system after migration were not retained for audit purposes. Further, we found that, while there was evidence of some user acceptance testing prior to system implementation, certain reports significant to the audit and to the preparation and reconciliation of the SEFA were subjected to user acceptance testing in October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. A detailed schedule of IT issues has been provided to OA-OIT for corrective action. Finding 2022 ? 010: (continued) In addition to testing the IT general controls described above, we also tested various reports generated by the system that were used by BFA to perform reconciliations and compile commodity expenditures reported in the SEFA as of June 30, 2022. We noted the following: Regarding the Commodity Processors Inventory Report which contained a total of 66 processors, some of which were inactive and not part of our testing population: ? For ten processors, when the report was generated for the entire year, and the beginning inventory for the commodity was zero, the report doubled the ending inventory. ? For three processors, the report displayed the wrong name for the related processor number. ? For five processors, when the report was generated for the entire year, the report displayed the processor as inactive despite having an ending inventory balance. BFA had to activate these processors in order to obtain the individual processor report activity. Regarding the Commodity Distributor Inventory Report: ? Inventory balances continue to be displayed on this report for three inactive distributors. Although all inventory was transferred to a new distributor, the transfer was not accounted for under the inactive distributors. ? Inventory balances for the two active distributors did not agree to the year-end physical inventory counts when the report was generated in October 2022. One distributor had a discrepancy of 1,794 cases and the other distributor had a discrepancy of 9,835 cases out of a total of 191,796 cases in year-end inventory. Reports generated in January 2023 displayed the ending balance that agreed to the year-end physical inventory counts. Regarding the Agency Summary Report: ? For one of the 25 recipients selected for testing from the Agency Summary Report, one month?s distribution activity for a selected commodity did not agree to the recipient?s records. We noted a difference of 29.22 more pounds received per the recipient?s invoices than was shown on the agency usage report that neither the recipient nor BFA could explain. We also noted discrepancies with BFA?s processor monthly performance reports (MPR), distributor monthly reconciliations, and year-end inventory reconciliations. We noted the following discrepancies in these reconciliations: ? Our testing of 25 processors? MPRs disclosed that for two processors BFA could not provide an MPR that agreed to the Commodity Processors Inventory Report which was prepared from the inventory application. ? Our testing of 15 receipt dates from three distributor monthly reconciliations disclosed a difference of 12 cases between USDA?s receipts and BFA?s receipts for one of the dates tested. BFA?s records were reconciled to the distributor?s records, and the difference was adjusted to agree to the distributor?s records without resolving the differences with USDA?s receipts. ? Our testing of BFA?s year-end reconciliation provided in October 2022 disclosed differences between distributor beginning inventory, receipts, distributions, and ending inventory balances and commodity inventory report balances. These differences impacted the commodity balances reported on the SEFA. The NSLP commodity amount was overstated by $248,640, and the SFSP commodity amount was understated by $107,616, for a net immaterial overstatement of $141,024 for the Child Nutrition Cluster. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). Finding 2022 ? 010: (continued) ? Green Book Principle 11 ? Design Activities for the Information System, states in part: o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. ? Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. OA-OIT issued the following Information Technology Policy (ITP) and Operational Document (OPD) to provide governance and guidance to agencies during implementation of new systems and placement of servers in the Enterprise Data Center: ? ITP-INF000 ? Enterprise Data and Information Management Policy, provides direction for effectively managing data and information life cycles including establishing data migration controls for data sets to be accessed from their original sources and efficiently moved from source to target destinations in an effective and secure manner. ? OPD-INF000A ? Migration Audit Checklist Template, which agencies must use to facilitate data migration as delineated in ITP-INF000. The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the CNC Cluster, Special Tests and Provisions ? N.2 Accountability for USDA ? Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Cause: Data migration occurred for this application as part of an upgrade to a new platform in June 2022. Due to the age of the application, it was no longer being supported by existing Enterprise Data Center infrastructure and technology. The C&E Delivery Center development team indicated that they were unaware that the ITP-INF000 ? Enterprise Data and Information Management Policy existed at the time of the data conversion. They indicated that while the web application was rewritten to utilize newer Microsoft technologies, large portions of the database utilized the same data structure as the previous system. Data queries were used to move data from one database to the other, and the data queries were written and tested. After the scripts were run, reports were compared side-by-side using the old system and the new system. When we requested additional evidence, management provided copies of the data queries and the change advisory board approval for the implementation of the new system but could not provide evidence of successful testing or evidence that reports comparing the old system and new system reconciled. During testing of the year-end inventory reconciliations, the auditors attempted to tie to reports they downloaded from the system and found the errors noted above. Once the identified errors in the downloaded reports were communicated to management, contracted personnel from the C&E Delivery Center corrected some, but not all, of the reports listed above. The C&E Delivery Center contractor represented that the issues identified during the audit were the result of how the reports were generated in the new system and were not issues with the underlying data, but no evidence to support this statement was provided. Further, certain issues, such as inactive distributors included on the system reports, had not been corrected as of our testing date in January 2023. Finding 2022 ? 010: (continued) While PDA provided a one-page document entitled Acceptance of Project Deliverable signed by BFA personnel on June 3, 2022, the emails documenting completion of user acceptance testing of the specific incorrect reports listed were dated October 2022 and December 2022, after ?go live? and after completion of the year-end inventory reconciliations. PDA management stated that issues were encountered with inventory reports after the inventory system was upgraded in June 2022 where fixes needed to be made as errors were being discovered. Also, a new distributor was added during the audit period that failed to submit complete files which resulted in reconciliation issues. PDA management erroneously believes that all discrepancies in inventory reports have been resolved and ending inventory balances are correct. Effect: The C&E Delivery Center?s failure to follow OA-OIT?s Enterprise Data and Information Management Policy resulted in the lack of certain controls over data migration including adequate planning, execution, and validation. The lack of evidence of successful, planned testing and comparisons of before and after snapshots of the data and inventory balances may have led to data migration errors that may have impacted the integrity, accuracy, and security of the data. Therefore, PDA management had little assurance prior to the audit that inventory balances transferred over completely and accurately. The lack of user acceptance testing prior to implementation of the new system (known as ?go live?) contributed to the inaccurate reports that failed to support the reconciliations provided for audit. Without direct intervention from the auditors, the inventory reports for the CNC program may not have been corrected, and similar reports generated for nonmajor programs may still contain errors. The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA?s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. OA-OIT and the C&E Delivery Center should perform the following: ? Work with BFA personnel to ensure all inventory reports generated from the new system are correct, tie to actual inventory balances on hand, and include the correct distribution centers. This should be done for CNC as well as for any nonmajor programs that utilize the same inventory application. ? Ensure that all system development personnel are aware of the data migration requirements detailed in Commonwealth policy prior to future system upgrades. ? Ensure adequate user acceptance testing is performed for all key reports prior to ?go live? in future system upgrades. OA-OIT Response: OA-OIT and the C&E Delivery Center agree with the facts of the finding. PDA Response: PDA agrees with the facts of the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Environmental Protection Finding 2022 ? 005: ALN 15.252 ? Abandoned Mine Land Reclamation A Material Weakness and Material Noncompliance Exist at the Department of Environmental Protection Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2021-004) Federal Grant Number(s) and Year(s): S21AF10015 (01/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 09/30/2023), S20AF20006 (01/01/2020 ?? 12/31/2022), S19AF20006 (01/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2022), S18AF20004 (11/01/2017 ?10/31/2023) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Department of Environmental Protection (DEP) administers the Abandoned Mine Land Reclamation (AMLR) program funded by the United States Department of the Interior (DOI). During the fiscal year ended June 30, 2022, DEP expended $49,400,302 within the AMLR program, of which $13,270,381 was paid to 18 subrecipients with whom DEP executed subrecipient agreements to provide abandoned mine land reclamation repairs and services throughout Pennsylvania. Our audit testing disclosed that DEP did not conduct risk assessments or program monitoring of these subrecipient expenditures during the fiscal year ended June 30, 2022, since DEP considered these entities to be contractors and not subrecipients. Based on a recent determination made by DEP, these entities should be categorized as subrecipients. As such, DEP began implementing procedures to ensure federal regulations are met regarding subrecipient agreements. However, these procedures were implemented subsequent to the fiscal year ended June 30, 2022. While Single Audits of the AMLR subrecipients may be conducted each year, this auditing activity does not compensate for the lack of during-the-award program monitoring, since the timing, focus, and scope of subrecipient auditing activities after year end are different than compliance monitoring to be performed by program officials during the year. Criteria: As part of administering the AMLR program, DEP must have policies, procedures, and controls in place to ensure compliance with federal requirements within contract requirements and regulations. 2 CFR Section 200.332, Requirements for pass through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521 [Management decision]. Finding 2022 ? 005: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in ?200.425 [Audit services]. The standard contract agreement between DEP and the local grantee states, in part: Audit/Compliance Review Requirements - The contractor must comply with all applicable federal and state grant requirements including the Single Audit Act Amendments of 1996; 2 CFR Part 200 as amended; and any other applicable law or regulation, and any amendment to such other applicable law or regulation that may be enacted or promulgated by the federal government. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: In previous years, DEP management considered these entities as contractors for whom subrecipient monitoring requirements were not applicable. However, based on recent determinations, DEP acknowledges these entities as subrecipients, not contractors, subject to federal subrecipient requirements. Effect: Without the completion of risk assessments and subrecipient monitoring, DEP cannot ensure compliance with federal statutes, regulations, and the terms and conditions of the subrecipient contracts, confirm that local subrecipients are performing satisfactory work, ensure the efficient use of program resources, and minimize the risk for fraud and abuse. Completing monitoring activities is essential for DEP to determine whether the local agencies are complying with federal regulations and spending grant funds appropriately. Recommendation: We recommend that DEP continue to develop and implement written policies and procedures for performing risk based during-the-award subrecipient monitoring and implement them immediately to ensure timely subrecipient compliance with federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: The Department of Environmental Protection agrees with the facts as presented in this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 007: ALN 21.023 ? COVID 19 ? Emergency Rental Assistance Program A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to Submission of Emergency Rental Assistance Monthly and Quarterly Reporting and Special Tests and Provisions Related to ERA Funds Reallocation (A Similar Condition Was Noted in Prior Year Finding 2021-006) Federal Grant Number(s) and Year(s): G019649899 (3/13/2020 ? 9/30/2025), G017649899 (3/13/2020 ? 9/30/2025) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirements: Reporting and Special Tests and Provisions related to ERA Funds Reallocation Condition: Emergency Rental Assistance (ERA) 1 and ERA 2 state, local, and territorial recipients were required to submit monthly and quarterly reports to the United States Department of the Treasury (US Treasury). The monthly reports are brief two-question updates through which ERA recipients provide US Treasury with very high-level counts of the numbers of households receiving assistance and the amounts of ERA funds distributed. The quarterly reports are in-depth reports with data on an array of programmatic and financial information to provide transparency in the use and progress of ERA funds. Monthly reports were required for each month of the fiscal year ended June 30, 2022 and were due 15 days after the end of the month. Quarterly reports were required for each quarter of the fiscal year ended June 30, 2022 and were due October 29, 2021, February 1, 2022, April 15, 2022, and July 15, 2022. As the direct recipient of ERA funds, the Department of Human Services (DHS) is responsible for ensuring the timeliness and accuracy of the report submissions. DHS obtained report information from subrecipients which was compiled and included in the submitted reports. The reports contained all required data elements, however, DHS did not implement policies and procedures to ensure the accuracy of the information reported by the counties. Therefore, DHS was unable to provide supporting documentation for amounts reported by county subrecipients on the reports or to demonstrate that they had reviewed and verified the accuracy of this information. In addition, DHS was unable to provide support for timely submission of monthly reports. Criteria: The Emergency Rental Assistance Program Reporting Guidance published by the US Treasury identifies several steps in the reporting process: ? Recipients gather and maintain required information such as counts of applicants and participants; amounts paid directly or indirectly to tenants, landlords, and utility/home energy providers; amounts paid to subrecipients and contractors; and administrative expenses. ? Recipients will need to communicate with and gather required information from their subrecipients and contractors, if applicable. ? After manually entering or uploading the report information, Recipients must review the information entered or submitted to the online reporting forms for any errors and completeness. Following completion of the report in Treasury?s portal, the Recipient?s designated Authorized Representative for Reporting must certify to the authenticity and accuracy of the information provided and formally submit the report to Treasury. Finding 2022 ? 007: (continued) The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the Emergency Rental Assistance Program, Special Tests and Provisions ? N. ERA Funds Reallocations, states in part: ? Financial information certified by grantees used by Treasury to make reallocation determinations must be accurate and excess funds that are subject to involuntary recapture must be returned to Treasury in accordance with Treasury?s confirmation letter. ? The financial information certified as part of reallocation includes monthly expenditure and cumulative obligations levels, as described in the Treasury reallocation guidance. ERA 1 expenditures reported monthly by the grantee are inputs to Treasury?s reallocation expenditure ratio. ERA1 obligations certified in the Request for Reallocated Funds form (1505-0266), including in the Request for Voluntarily Reallocated Funds, are inputs into determining eligibility to receive reallocated funds. ? Pursuant to section 501(d) of the Consolidated Appropriations Act, 2021, Treasury is required to reallocate ?excess? ERA 1 award funds. Treasury?s objective in reallocations is to ensure ERA 1 award funds remain available to grantees in accordance with their jurisdictional needs and demonstrated capacity to deliver assistance while the ERA appropriations remain available. 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS did not implement policies and procedures to ensure the accuracy of information reported by counties which was included on the reports. DHS also did not implement policies and procedures to ensure that it maintained documentation of timely submission. Effect: Without review and validation of the detail supporting the summary information reported by counties, the reports may have contained inaccurate information. Inaccurate and/or untimely submission of monthly reports could impact the US Treasury?s ability to reallocate ERA 1 award funds pursuant to section 501(d) of the 2021 Consolidated Appropriations Act. Recommendation: We recommend that DHS implement formal policies and procedures to verify the information reported by counties to be included on the reports. Reported amounts should be reviewed for accuracy before reports are submitted to US Treasury to ensure that reports filed are complete and accurate. We further recommend that DHS retains documentation supporting when reports are submitted, and that this documentation is available for audit. Finding 2022 ? 007: (continued) Agency Response: DHS agrees with this finding. Pennsylvania legislation directed DHS funds to all 67 counties including 18 counties that received direct federal funds. Each subgrantee reported information regarding metrics outlined by the 10th of the month for the prior month. DHS reconciles various metrics in order to comply with US Treasury?s deadline to report monthly on the 15th of the month for the prior month. Similar to other DHS programs, DHS has implemented an after-action review of information submitted, using a contracted vendor. DHS faced challenges implementing a program with 67 counties and no central eligibility determination system. DHS has learned that standing up the supportive services and multi-sector partnerships was challenging in the context of the global pandemic workforce shortages. This made DHS dependent on local county reports to maintain program oversight and compile statewide data for submission to US Treasury. DHS will strengthen this control as we plan for future emergency or pandemic programs related to rental assistance. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Governor?s Budget Office Finding 2022 ? 011: ALN 21.027 ? COVID 19 ? Coronavirus State and Local Fiscal Recovery Funds A Significant Deficiency and Noncompliance Exist Related to Preparation of the Interim Report Federal Grant Number(s) and Year(s): TN75GJE1S7G3 (3/03/2021 ? 12/31/2024) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Reporting Condition: The Coronavirus State and Local Fiscal Recovery Funds (SLFRF) program was established under the American Rescue Plan Act to provide support to state, territorial, local, and tribal governments in responding to the economic and public health impacts of the COVID-19 pandemic. The Commonwealth of Pennsylvania, as a recipient of SLFRF funding, was required to submit a one-time Interim Report with expenditures by expenditure category, which provides an overview of the status and use of program funds. The Office of the Budget, Governor?s Budget Office (GBO), excluded $14,481,522 from the Interim Report which represents expenditures that had been approved but not paid as of July 31, 2021. These transactions were included as expenditures in the Commonwealth?s accounting system as of July 31, 2021, but payment had not yet been issued. Per the United States Department of the Treasury?s (US Treasury) reporting guidance, this amount should have been included on the Interim Report as an obligation for the period ending July 31, 2021. Criteria: The SLFRF Compliance and Reporting Guidance, issued by the US Treasury on June 17, 2022, states in part: States ? were required to submit a one-time interim report with expenditures by Expenditure Category from the date of award to July 31, 2021, by August 31, 2021 or sixty (60) days after first receiving funding if the recipient?s date of award was between July 15, 2021 and October 15, 2021. The recipient was required to enter obligations and expenditures and, for each, select the specific expenditure category from the available options. The report is required to be submitted to the US Treasury?s SLFRF portal, and for reporting purposes, an expenditure is the amount that has been incurred as a liability of the entity (the service has been rendered or the good has been delivered to the entity), and an obligation is an order placed for property and services, contracts and subawards made, and similar transactions that require payment. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: When the Interim Report was prepared, GBO interpreted program reporting requirements to be that the expenditures and obligations reported should match the Non-Entitlement Units (NEU) reports the Commonwealth had on file with US Treasury. Therefore, GBO reported only disbursements issued by the Pennsylvania Treasury by July 31, 2021 and excluded expenditures incurred in the accounting system that had not yet been issued as of July 31, 2021. Effect: GBO did not fully report program obligations on the Interim Report as of July 31, 2021. Recommendation: We recommend that GBO report all transactions that have been expended and/or approved for payment in accordance with program reporting requirements. Finding 2022 ? 011: (continued) Agency Response: GBO agrees with this finding. Questioned Costs: None noted as the expenditures were subsequently reported to US Treasury in Project and Expenditure Reports. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Education Finding 2022 ? 004: ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER A Significant Deficiency and Noncompliance Exist at the Department of Education Related to Submission of GEER, ESSER, and CRRSA EANS Annual Reporting (A Similar Condition Was Noted in Prior Year Finding 2021-003) Federal Grant Number(s) and Year(s): S425D200028 (3/13/2020 ? 9/30/2024), S425D210028 (3/13/2020 ? 9/30/2024), S425U210028 (3/13/2020 ? 9/30/2024) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Reporting Condition: As the State Educational Agency (SEA), the Pennsylvania Department of Education (PDE) is required to submit annual data reports to the United States Department of Education (USDE) for the components of the Education Stabilization Fund (ESF) program. These reports support the annual collection of data pertaining to the uses of funds under the Governor?s Emergency Education Relief (GEER) Fund, Elementary and Secondary School Emergency Relief (ESSER) Fund, Coronavirus Response and Relief Supplemental Appropriations Act, 2021 ? Emergency Assistance to Non-Public Schools (CRRSA EANS) Program, and the American Rescue Plan ? Elementary and Secondary School Emergency Relief (ARP ESSER). USDE awards ESF grants to SEAs for the purpose of providing local educational agencies (LEAs), including charter schools that are LEAs, with emergency relief funds to address the impact of the Novel Coronavirus Disease 2019 (COVID-19) on elementary and secondary schools across the nation. LEAs must provide equitable services to students and teachers in non-public schools as required under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). During the fiscal year ended June 30, 2022, PDE was required to submit the ESSER and ARP ESSER annual report for the period October 1, 2020 through June 30, 2021 and the GEER and CRRSA EANS annual reports for the period July 1, 2020 through June 30, 2021. As the direct recipient of ESSER, ARP ESSER, GEER, and CRRSA EANS funds, PDE is responsible for ensuring the timeliness and accuracy of the annual report submissions. PDE obtained summary information from the LEAs to compile and submit the reports which contained all required data elements. However, PDE did not implement policies and procedures to ensure the accuracy of the information reported by the LEAs. Therefore, PDE was unable to provide supporting documentation for amounts reported by LEAs on the annual reports or to demonstrate that they had reviewed and verified the accuracy of this information. Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the Education Stabilization Fund, Section L.3.a, Reporting ? Special Reporting ? Annual Reporting ? SEA/Governor, states in part: ESSER, GEER, and [CRRSA] EANS grantees must submit an annual performance report (OMB No. 1810-0749 for ESSER; 1810-0748 for GEER; and 1810-0765 for EANS) with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Finding 2022 ? 004: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE did not implement policies and procedures to ensure the accuracy of information reported by LEAs which was included on the Annual Reports. Effect: Without review and validation of the detail supporting the summary information reported by LEAs, the Annual Reports may have contained inaccurate information. Recommendation: We recommend that PDE implement formal policies and procedures to verify the information reported by LEAs to be included on the Annual Reports. Reported amounts should be reviewed for accuracy before reports are submitted to USDE to ensure that reports filed are complete and accurate. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Education Finding 2022 ? 004: ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER A Significant Deficiency and Noncompliance Exist at the Department of Education Related to Submission of GEER, ESSER, and CRRSA EANS Annual Reporting (A Similar Condition Was Noted in Prior Year Finding 2021-003) Federal Grant Number(s) and Year(s): S425D200028 (3/13/2020 ? 9/30/2024), S425D210028 (3/13/2020 ? 9/30/2024), S425U210028 (3/13/2020 ? 9/30/2024) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Reporting Condition: As the State Educational Agency (SEA), the Pennsylvania Department of Education (PDE) is required to submit annual data reports to the United States Department of Education (USDE) for the components of the Education Stabilization Fund (ESF) program. These reports support the annual collection of data pertaining to the uses of funds under the Governor?s Emergency Education Relief (GEER) Fund, Elementary and Secondary School Emergency Relief (ESSER) Fund, Coronavirus Response and Relief Supplemental Appropriations Act, 2021 ? Emergency Assistance to Non-Public Schools (CRRSA EANS) Program, and the American Rescue Plan ? Elementary and Secondary School Emergency Relief (ARP ESSER). USDE awards ESF grants to SEAs for the purpose of providing local educational agencies (LEAs), including charter schools that are LEAs, with emergency relief funds to address the impact of the Novel Coronavirus Disease 2019 (COVID-19) on elementary and secondary schools across the nation. LEAs must provide equitable services to students and teachers in non-public schools as required under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). During the fiscal year ended June 30, 2022, PDE was required to submit the ESSER and ARP ESSER annual report for the period October 1, 2020 through June 30, 2021 and the GEER and CRRSA EANS annual reports for the period July 1, 2020 through June 30, 2021. As the direct recipient of ESSER, ARP ESSER, GEER, and CRRSA EANS funds, PDE is responsible for ensuring the timeliness and accuracy of the annual report submissions. PDE obtained summary information from the LEAs to compile and submit the reports which contained all required data elements. However, PDE did not implement policies and procedures to ensure the accuracy of the information reported by the LEAs. Therefore, PDE was unable to provide supporting documentation for amounts reported by LEAs on the annual reports or to demonstrate that they had reviewed and verified the accuracy of this information. Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the Education Stabilization Fund, Section L.3.a, Reporting ? Special Reporting ? Annual Reporting ? SEA/Governor, states in part: ESSER, GEER, and [CRRSA] EANS grantees must submit an annual performance report (OMB No. 1810-0749 for ESSER; 1810-0748 for GEER; and 1810-0765 for EANS) with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Finding 2022 ? 004: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE did not implement policies and procedures to ensure the accuracy of information reported by LEAs which was included on the Annual Reports. Effect: Without review and validation of the detail supporting the summary information reported by LEAs, the Annual Reports may have contained inaccurate information. Recommendation: We recommend that PDE implement formal policies and procedures to verify the information reported by LEAs to be included on the Annual Reports. Reported amounts should be reviewed for accuracy before reports are submitted to USDE to ensure that reports filed are complete and accurate. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Education Finding 2022 ? 004: ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER A Significant Deficiency and Noncompliance Exist at the Department of Education Related to Submission of GEER, ESSER, and CRRSA EANS Annual Reporting (A Similar Condition Was Noted in Prior Year Finding 2021-003) Federal Grant Number(s) and Year(s): S425D200028 (3/13/2020 ? 9/30/2024), S425D210028 (3/13/2020 ? 9/30/2024), S425U210028 (3/13/2020 ? 9/30/2024) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Reporting Condition: As the State Educational Agency (SEA), the Pennsylvania Department of Education (PDE) is required to submit annual data reports to the United States Department of Education (USDE) for the components of the Education Stabilization Fund (ESF) program. These reports support the annual collection of data pertaining to the uses of funds under the Governor?s Emergency Education Relief (GEER) Fund, Elementary and Secondary School Emergency Relief (ESSER) Fund, Coronavirus Response and Relief Supplemental Appropriations Act, 2021 ? Emergency Assistance to Non-Public Schools (CRRSA EANS) Program, and the American Rescue Plan ? Elementary and Secondary School Emergency Relief (ARP ESSER). USDE awards ESF grants to SEAs for the purpose of providing local educational agencies (LEAs), including charter schools that are LEAs, with emergency relief funds to address the impact of the Novel Coronavirus Disease 2019 (COVID-19) on elementary and secondary schools across the nation. LEAs must provide equitable services to students and teachers in non-public schools as required under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). During the fiscal year ended June 30, 2022, PDE was required to submit the ESSER and ARP ESSER annual report for the period October 1, 2020 through June 30, 2021 and the GEER and CRRSA EANS annual reports for the period July 1, 2020 through June 30, 2021. As the direct recipient of ESSER, ARP ESSER, GEER, and CRRSA EANS funds, PDE is responsible for ensuring the timeliness and accuracy of the annual report submissions. PDE obtained summary information from the LEAs to compile and submit the reports which contained all required data elements. However, PDE did not implement policies and procedures to ensure the accuracy of the information reported by the LEAs. Therefore, PDE was unable to provide supporting documentation for amounts reported by LEAs on the annual reports or to demonstrate that they had reviewed and verified the accuracy of this information. Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the Education Stabilization Fund, Section L.3.a, Reporting ? Special Reporting ? Annual Reporting ? SEA/Governor, states in part: ESSER, GEER, and [CRRSA] EANS grantees must submit an annual performance report (OMB No. 1810-0749 for ESSER; 1810-0748 for GEER; and 1810-0765 for EANS) with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Finding 2022 ? 004: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE did not implement policies and procedures to ensure the accuracy of information reported by LEAs which was included on the Annual Reports. Effect: Without review and validation of the detail supporting the summary information reported by LEAs, the Annual Reports may have contained inaccurate information. Recommendation: We recommend that PDE implement formal policies and procedures to verify the information reported by LEAs to be included on the Annual Reports. Reported amounts should be reviewed for accuracy before reports are submitted to USDE to ensure that reports filed are complete and accurate. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Education Finding 2022 ? 004: ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER A Significant Deficiency and Noncompliance Exist at the Department of Education Related to Submission of GEER, ESSER, and CRRSA EANS Annual Reporting (A Similar Condition Was Noted in Prior Year Finding 2021-003) Federal Grant Number(s) and Year(s): S425D200028 (3/13/2020 ? 9/30/2024), S425D210028 (3/13/2020 ? 9/30/2024), S425U210028 (3/13/2020 ? 9/30/2024) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Reporting Condition: As the State Educational Agency (SEA), the Pennsylvania Department of Education (PDE) is required to submit annual data reports to the United States Department of Education (USDE) for the components of the Education Stabilization Fund (ESF) program. These reports support the annual collection of data pertaining to the uses of funds under the Governor?s Emergency Education Relief (GEER) Fund, Elementary and Secondary School Emergency Relief (ESSER) Fund, Coronavirus Response and Relief Supplemental Appropriations Act, 2021 ? Emergency Assistance to Non-Public Schools (CRRSA EANS) Program, and the American Rescue Plan ? Elementary and Secondary School Emergency Relief (ARP ESSER). USDE awards ESF grants to SEAs for the purpose of providing local educational agencies (LEAs), including charter schools that are LEAs, with emergency relief funds to address the impact of the Novel Coronavirus Disease 2019 (COVID-19) on elementary and secondary schools across the nation. LEAs must provide equitable services to students and teachers in non-public schools as required under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). During the fiscal year ended June 30, 2022, PDE was required to submit the ESSER and ARP ESSER annual report for the period October 1, 2020 through June 30, 2021 and the GEER and CRRSA EANS annual reports for the period July 1, 2020 through June 30, 2021. As the direct recipient of ESSER, ARP ESSER, GEER, and CRRSA EANS funds, PDE is responsible for ensuring the timeliness and accuracy of the annual report submissions. PDE obtained summary information from the LEAs to compile and submit the reports which contained all required data elements. However, PDE did not implement policies and procedures to ensure the accuracy of the information reported by the LEAs. Therefore, PDE was unable to provide supporting documentation for amounts reported by LEAs on the annual reports or to demonstrate that they had reviewed and verified the accuracy of this information. Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the Education Stabilization Fund, Section L.3.a, Reporting ? Special Reporting ? Annual Reporting ? SEA/Governor, states in part: ESSER, GEER, and [CRRSA] EANS grantees must submit an annual performance report (OMB No. 1810-0749 for ESSER; 1810-0748 for GEER; and 1810-0765 for EANS) with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Finding 2022 ? 004: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE did not implement policies and procedures to ensure the accuracy of information reported by LEAs which was included on the Annual Reports. Effect: Without review and validation of the detail supporting the summary information reported by LEAs, the Annual Reports may have contained inaccurate information. Recommendation: We recommend that PDE implement formal policies and procedures to verify the information reported by LEAs to be included on the Annual Reports. Reported amounts should be reviewed for accuracy before reports are submitted to USDE to ensure that reports filed are complete and accurate. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 009: ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2021-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2021 ? 9/30/2022), 2205PA5ADM (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021), 2105PA5ADM (10/01/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid National Correct Coding Initiative (NCCI) methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS?s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS?s PROMISe vendor. During the fiscal year ended June 30, 2022, DHS did not ensure that its contract and amendments with the PROMISe vendor included two out of seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The two missing elements included: ? Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. ? Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. Finding 2022 ? 009: (continued) The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: DHS personnel added five of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to a PROMISe vendor contract amendment in 2022 but did not add the remaining two elements because they believed the elements were already covered by existing contract terms. Effect: Since DHS did not ensure two of the seven elements of the required NCCI Confidentiality Agreement were included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the two missing elements of the required NCCI Confidentiality Agreement are included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 009: ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2021-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2021 ? 9/30/2022), 2205PA5ADM (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021), 2105PA5ADM (10/01/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid National Correct Coding Initiative (NCCI) methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS?s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS?s PROMISe vendor. During the fiscal year ended June 30, 2022, DHS did not ensure that its contract and amendments with the PROMISe vendor included two out of seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The two missing elements included: ? Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. ? Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. Finding 2022 ? 009: (continued) The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: DHS personnel added five of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to a PROMISe vendor contract amendment in 2022 but did not add the remaining two elements because they believed the elements were already covered by existing contract terms. Effect: Since DHS did not ensure two of the seven elements of the required NCCI Confidentiality Agreement were included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the two missing elements of the required NCCI Confidentiality Agreement are included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 009: ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2021-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2021 ? 9/30/2022), 2205PA5ADM (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021), 2105PA5ADM (10/01/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid National Correct Coding Initiative (NCCI) methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS?s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS?s PROMISe vendor. During the fiscal year ended June 30, 2022, DHS did not ensure that its contract and amendments with the PROMISe vendor included two out of seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The two missing elements included: ? Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. ? Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. Finding 2022 ? 009: (continued) The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: DHS personnel added five of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to a PROMISe vendor contract amendment in 2022 but did not add the remaining two elements because they believed the elements were already covered by existing contract terms. Effect: Since DHS did not ensure two of the seven elements of the required NCCI Confidentiality Agreement were included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the two missing elements of the required NCCI Confidentiality Agreement are included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 009: ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2021-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2021 ? 9/30/2022), 2205PA5ADM (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021), 2105PA5ADM (10/01/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid National Correct Coding Initiative (NCCI) methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS?s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS?s PROMISe vendor. During the fiscal year ended June 30, 2022, DHS did not ensure that its contract and amendments with the PROMISe vendor included two out of seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The two missing elements included: ? Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. ? Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. Finding 2022 ? 009: (continued) The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: DHS personnel added five of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to a PROMISe vendor contract amendment in 2022 but did not add the remaining two elements because they believed the elements were already covered by existing contract terms. Effect: Since DHS did not ensure two of the seven elements of the required NCCI Confidentiality Agreement were included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the two missing elements of the required NCCI Confidentiality Agreement are included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 009: ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2021-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2021 ? 9/30/2022), 2205PA5ADM (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021), 2105PA5ADM (10/01/2020 ? 9/30/2021) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid National Correct Coding Initiative (NCCI) methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS?s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS?s PROMISe vendor. During the fiscal year ended June 30, 2022, DHS did not ensure that its contract and amendments with the PROMISe vendor included two out of seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The two missing elements included: ? Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. ? Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. Finding 2022 ? 009: (continued) The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: DHS personnel added five of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to a PROMISe vendor contract amendment in 2022 but did not add the remaining two elements because they believed the elements were already covered by existing contract terms. Effect: Since DHS did not ensure two of the seven elements of the required NCCI Confidentiality Agreement were included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the two missing elements of the required NCCI Confidentiality Agreement are included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 008: ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) Department of Human Services Did Not Validate Financial Information as Part of Its On-Site Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2021-007) Federal Grant Number(s) and Year(s): 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1801PATANF (10/01/2017 ? 9/30/2018), 1701PATANF (10/01/2016 ? 9/30/2017) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: During the fiscal year ended June 30, 2022, the Department of Human Services (DHS) paid $79.5 million in Temporary Assistance for Needy Families (TANF) funding to subrecipients within the New Directions, Cash Grants, and Alternatives to Abortion appropriations (or 22.1 percent) out of total federal TANF expenditures of $360.2 million reported on the June 30, 2022 Schedule of Expenditures of Federal Awards. Our testing of DHS?s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2022 disclosed that DHS performed on-site monitoring for 20 out of 21 subrecipients selected for testing. The on-site monitoring that was performed consisted of reviews of program operations including design, data entry accuracy and timeliness, case management analysis, and program payment performance goals. The on-site monitoring also included a review of a sample of TANF recipient case files to ensure that the recipients? TANF activities were documented and accurately entered in the Commonwealth?s Workforce Development System. However, DHS?s monitoring procedures for the 20 subrecipients were not adequate as they did not include a review or monitoring of subrecipient financial records, which would provide an assessment of a subrecipient?s compliance with applicable federal regulations. Although DHS?s monitoring procedures include reviewing subrecipient completed questionnaires for selected subrecipients that had questions related to financial matters, DHS?s monitoring personnel did not review subrecipient financial records. For example, DHS did not perform procedures to ensure subrecipient invoices agreed to the books and records of the subrecipient and that the records were adequate to support the allowability of costs paid by DHS during the award period. In addition, DHS?s monitoring procedures did not include an evaluation of the operating effectiveness of DHS subrecipients? procedures to monitor Single Audits and any related findings. Our testing of the 21 subrecipients noted above included follow up on one subrecipient identified in the prior year finding as not being on-site monitored by DHS when the risk assessment warranted on-site monitoring. Our follow-up during the current audit period disclosed that DHS did not conduct on-site monitoring for this subrecipient during the fiscal year ended June 30, 2022. Since the on-site monitoring was not completed, internal control weaknesses, noncompliance, and questioned costs may have existed and remained undetected during the current audit period. This subrecipient received $980,923 of TANF funds during the fiscal year ended June 30, 2022. Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. Finding 2022 ? 008: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by ? 75.521 [Management decision]. 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in ?200.425 [Audit services]. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS planned to implement new during-the-award monitoring procedures to be used for the on-site monitoring of subrecipients, but these procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2022. Therefore, DHS has not implemented adequate during-the-award monitoring procedures of subrecipients to include testing of the financial records and the subrecipients? monitoring of Single Audits sufficient to ensure compliance with federal regulations. Regarding the one subrecipient for which on-site monitoring was not completed, DHS personnel stated that they are working with the subrecipient to obtain the necessary documentation to complete the on-site monitoring. Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by DHS management. Recommendation: DHS should strengthen its controls to ensure during-the-award monitoring of TANF subrecipients includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients? financial records and ensuring that all required Single Audits were obtained by DHS subrecipients. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 006: ALN 10.551 and 10.561 ? Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2021-005) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 ? 9/30/2022), 211PA405S2514 (10/01/2020 ? 9/30/2021), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2101PATANFC6 (10/01/2020 ? 9/30/2022) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2022 totaled $5.6 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2022 totaled $129.7 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our review of the physical security over EBT cards, we noted exceptions at all CAO and district locations selected for testing. These exceptions included the following: 1) The ending inventory count of EBT cards at June 30, 2022 which was calculated using the weekly log including July 1, 2021, the daily logs for the fiscal year ended June 30, 2022, and the EBT shipment logs for the fiscal year ended June 30, 2022 did not reconcile to the inventory count on the weekly log including June 30, 2022 in the EBT Card Tracking Database (1 location); 2) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a district office. The master list includes five cardmakers and zero pinners. The district office list includes one pinner who is listed as a cardmaker on the master list (1 district office); 3) EBT cards were created outside of the hours of operations (2 district offices); 4) The Weekly Log was completed and closed prior to close of business (1 location); 5) The Electronic Payment Processing and Information Control (EPPIC) EBT Systems Application forms provided by a district office did not match the forms provided by the EBT Project Office (1 district office); 6) Failure to perform the following: ? Completion of the witness field on an EBT Shipment Verification Log (1 district); ? Completion of the weekly approver field on the Weekly Log (1 district office); ? Completion of the EBT Card Paper Logs daily instead of only in an emergency situation (1 location); ? Completion of the requestor field on the EPPIC EBT Systems Application forms (1 district office); ? Completion of the exceptions, approved, and approver fields on the Daily Log when a Form HS 764 was completed (2 district offices); ? Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 location); ? Designate a manager or supervisor to the EBT Coordinator role (1 location); Finding 2022 ? 006: (continued) ? Ensure that coverage for card pinning is available until 5:00 PM each business day (3 district offices and 1 location); ? Ensure EBT Card Tracking Database users are assigned the appropriate role responsibilities within the database. An employee has two active user accounts with different assigned staff roles to each account (1 district office); ? Ensure users no longer using the EBT Card Tracking Database are deactivated (1 district office and 1 location); ? Maintain adequate security of EBT cards (1 district office and 5 locations); ? Maintain adequate security of pinning device (1 district office and 4 locations); ? Maintain adequate security of EBT card printing device (1 location); ? Maintain adequate security of ribbons (1 district office and 4 locations); ? Maintain adequate security of paper EBT logs (3 locations); ? Maintain accurate EBT card inventory in the EBT Card Tracking Database (1 location); ? Maintain operational efficiency due to only having one PIN Select Device (1 district office); ? Maintain operational efficiency due to having an inoperable EBT Card Printer for a portion of the fiscal year (1 district office); ? Proper completion of Form HS 764 (1 district office and 1 location); ? Proper destruction of damaged EBT cards (1 district office); ? Proper format of the EPPIC EBT Systems Application form files sent to the Office of Income Maintenance (OIM) EBT Security Administrator (1 location); ? Scan Form HS 764 to case record after the EBT card is created (1 location); ? Provide the Ribbon Installation and Destruction Log from the EBT Card Tracking Database (1 district office); ? Retain EPPIC EBT Systems Application forms electronically (1 district office); ? Timely enter a shipment received into the EBT Card Tracking Database (1 location); ? Timely completion and submission of the EPPIC EBT Systems Application forms to OIM EBT Security (3 locations). Criteria: The 2022 OMB Uniform Guidance Compliance Supplement, Part 4 ? Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions ? N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also ?75.361, 75.362, 75.363, 75.364, and 75.365): Finding 2022 ? 006: (continued) (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See ?75.303. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Department of Human Services Finding 2022 ? 008: ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) Department of Human Services Did Not Validate Financial Information as Part of Its On-Site Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2021-007) Federal Grant Number(s) and Year(s): 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1801PATANF (10/01/2017 ? 9/30/2018), 1701PATANF (10/01/2016 ? 9/30/2017) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: During the fiscal year ended June 30, 2022, the Department of Human Services (DHS) paid $79.5 million in Temporary Assistance for Needy Families (TANF) funding to subrecipients within the New Directions, Cash Grants, and Alternatives to Abortion appropriations (or 22.1 percent) out of total federal TANF expenditures of $360.2 million reported on the June 30, 2022 Schedule of Expenditures of Federal Awards. Our testing of DHS?s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2022 disclosed that DHS performed on-site monitoring for 20 out of 21 subrecipients selected for testing. The on-site monitoring that was performed consisted of reviews of program operations including design, data entry accuracy and timeliness, case management analysis, and program payment performance goals. The on-site monitoring also included a review of a sample of TANF recipient case files to ensure that the recipients? TANF activities were documented and accurately entered in the Commonwealth?s Workforce Development System. However, DHS?s monitoring procedures for the 20 subrecipients were not adequate as they did not include a review or monitoring of subrecipient financial records, which would provide an assessment of a subrecipient?s compliance with applicable federal regulations. Although DHS?s monitoring procedures include reviewing subrecipient completed questionnaires for selected subrecipients that had questions related to financial matters, DHS?s monitoring personnel did not review subrecipient financial records. For example, DHS did not perform procedures to ensure subrecipient invoices agreed to the books and records of the subrecipient and that the records were adequate to support the allowability of costs paid by DHS during the award period. In addition, DHS?s monitoring procedures did not include an evaluation of the operating effectiveness of DHS subrecipients? procedures to monitor Single Audits and any related findings. Our testing of the 21 subrecipients noted above included follow up on one subrecipient identified in the prior year finding as not being on-site monitored by DHS when the risk assessment warranted on-site monitoring. Our follow-up during the current audit period disclosed that DHS did not conduct on-site monitoring for this subrecipient during the fiscal year ended June 30, 2022. Since the on-site monitoring was not completed, internal control weaknesses, noncompliance, and questioned costs may have existed and remained undetected during the current audit period. This subrecipient received $980,923 of TANF funds during the fiscal year ended June 30, 2022. Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. Finding 2022 ? 008: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by ? 75.521 [Management decision]. 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in ?200.425 [Audit services]. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS planned to implement new during-the-award monitoring procedures to be used for the on-site monitoring of subrecipients, but these procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2022. Therefore, DHS has not implemented adequate during-the-award monitoring procedures of subrecipients to include testing of the financial records and the subrecipients? monitoring of Single Audits sufficient to ensure compliance with federal regulations. Regarding the one subrecipient for which on-site monitoring was not completed, DHS personnel stated that they are working with the subrecipient to obtain the necessary documentation to complete the on-site monitoring. Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by DHS management. Recommendation: DHS should strengthen its controls to ensure during-the-award monitoring of TANF subrecipients includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients? financial records and ensuring that all required Single Audits were obtained by DHS subrecipients. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Office of the Budget ? Office of Comptroller Operations Finding 2022 ? 012: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s FFATA Reporting Process Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021) Type of Finding: Material Weakness, Material Noncompliance Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth?s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month?s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $113.1 million from ten major programs disclosed that 13 transactions totaling $29.2 million, or 33 percent of transactions tested, were not reported to FSRS. Specifically, the 13 transactions for which the FFATA information was not reported occurred within three of the ten programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (1) Not all subrecipient awards within total subrecipient expenditures (program total) may meet the criteria for FFATA reporting. Finding 2022 ? 012: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2022 ? 012: (continued) Cause: OB-BAFM personnel indicated that due to staff turnover, certain subawards were not reported to FSRS because the award dates were not being entered for the internal order number in SAP. The award dates identify the contracts that are extracted from SAP for the upload to the FFATA database and the subsequent upload to FSRS. As a result of our testing, OB-BAFM personnel indicated they have established and implemented procedures to ensure award dates are entered into SAP for all internal orders so that the required subawards are properly reported in FSRS. The new procedures also include review of the FFATA information to ensure the data is consistent and correct before being uploaded to FSRS. Regarding the 13 transactions identified during our testing that were not reported to the FFATA database, OB-BAFM personnel indicated they subsequently identified and entered award dates for subawards that were missing an award date, allowing the award information to upload to the FFATA database and FSRS as required. Effect: Since the award dates for 13 internal order numbers were not entered in SAP, the awards failed to upload to the FFATA database and were not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the upload to FSRS. Recommendation: We recommend that OB-BAFM continue to implement their established procedures to ensure all subrecipient contract information is properly recorded in SAP and the upload into the FFATA database, and FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 013: ALN 93.323 ? Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient?s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2021-014) Federal Grant Number(s) and Year(s): NU50CK000527 (8/01/2019 ? 7/31/2024), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 1901PATANF (10/01/2018 ? 9/30/2019), 2101PAADPT (10/01/2020 ? 9/30/2021), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022) Type of Finding: Significant Deficiency, Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2022. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the DHS and the Pennsylvania Department of Health (DOH) did not adequately evaluate each subrecipient?s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients? Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by ?No?) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient?s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2022 ? 013: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) (1) Although an evaluation of subrecipient risk was conducted, the only risk factor used in the evaluation was the error rate detected for the county subrecipients. The evaluation is deemed inadequate since there was no written evidence that the risk assessment considered other risk factors, such as the risk factors identified in 2 CFR Section 200.332. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient?s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient?s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Finding 2022 ? 013: (continued) Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS?s process for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS and DOH were not properly documented. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Recommendation: DHS should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS and DOH should implement procedures to adequately document their evaluation of each subrecipient?s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with this finding. DOH Response: DOH agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.

Various Agencies Finding 2022 ? 014: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 ? Child Nutrition Cluster (including COVID-19) ALN 10.557 ? WIC Special Supplemental Nutrition Program for Women, Infants, and Children (including COVID-19) ALN 10.558 ? Child and Adult Care Food Program (including COVID-19) ALN 15.252 ? Abandoned Mine Land Reclamation ALN 21.023 ? COVID-19 ? Emergency Rental Assistance Program ALN 84.010 ? Title I Grants to Local Educational Agencies ALN 84.027 and 84.173 ? ? Special Education Cluster (IDEA) (including COVID-19) ALN 84.425C ? COVID 19 ? Education Stabilization Fund - GEER Fund ALN 84.425D ? COVID 19 ? Education Stabilization Fund - ESSER Fund ALN 84.425R ? COVID 19 ? Education Stabilization Fund - CRRSA EANS ALN 84.425U ? COVID 19 ? Education Stabilization Fund - ARP ESSER ALN 84.425W ? COVID 19 ? Education Stabilization Fund - ARP ESSER HCY ALN 93.558 ? Temporary Assistance for Needy Families (including COVID-19) ALN 93.563 ? Child Support Enforcement ALN 93.575 and 93.596 ? Child Care and Development Fund (CCDF) Cluster (including COVID-19) ALN 93.658 ? Foster Care ? Title IV-E (including COVID-19) ALN 93.659 ? Adoption Assistance (including COVID-19) ALN 93.775, 93.777, and 93.778 ? Medicaid Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth?s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2021-015) Federal Grant Number(s) and Year(s): 1PA300365 (1/01/2022 ? 9/30/2023), 1PA310305 (10/01/2021 ? 9/30/2022), 1PA310305 (10/01/2020 ? 9/30/2021), 1PA300305 (10/01/2021 ? 9/30/2022), 1PA300305 (10/01/2020 ? 9/30/2021), 1PA320305 (12/27/2020 ? 9/30/2021), Y22174 (10/01/2021 ? 9/30/2024), Y13194 (10/01/2020 ? 9/30/2023), Y03194 (10/01/2019 ? 9/30/2023), Y03191 (10/01/2019 ? 9/30/2020), Y22173 (10/01/2021 ? 9/30/2022), Y22172 (10/01/2021 ? 9/30/2022, Y13191 (10/01/2020 ? 9/30/2021), Y13061 (10/01/2020 ? 9/30/2021), S22AF00017 (1/01/2022 ? 12/31/2024), S21AF10050 (6/01/2021 ? 5/31/2024), S21AF10015 (1/01/2021 ? 12/31/2023), S20AF20092 (10/01/2020 ? 9/30/2023), S20AF20006 (1/01/2020 ? 12/31/2022), S19AF20006 (1/01/2019 ? 12/31/2021), S19AF20004 (12/01/2018 ? 11/30/2023), S18AF20004 (11/01/2017 ? 10/31/2023), ERAE0131 (1/19/2021 ? 12/29/2022), ERAE0333 (5/11/2021 ? 12/30/2025), S010A210038 (7/01/2021 ? 9/30/2022), S010A200038 (7/01/2020 ? 9/30/2021), H027A210093 (7/01/2021 ? 9/30/2022), H027A200093 (7/01/2020 ? 9/30/2021), S425D200028 (3/13/2020 ? 9/30/2022), S425D210028 (3/13/2020 ? 9/30/2022), 2201PATANF (10/01/2021 ? 9/30/2022), 2101PATANF (10/01/2020 ? 9/30/2021), 2001PATANF (10/01/2019 ? 9/30/2020), 2201PACSES (10/01/2021 ? 9/30/2022), 2101PACSES (10/01/2020 ? 9/30/2021), G2201PACCDF (10/01/2021 ? 9/30/2022), G2101PACCDF (10/01/2020 ? 9/30/2021), 2201PAFOST (10/01/2021 ? 9/30/2022), 2101PAFOST (10/01/2020 ? 9/30/2021), 2001PAFOST (10/01/2019 ? 9/30/2020), 2201PAADPT (10/01/2021 ? 9/30/2022), 2101PAADPT (10/01/2020 ? 9/30/2021), 2205PA5MAP (10/01/2021 ? 9/30/2022), 2105PA5MAP (10/01/2020 ? 9/30/2021) Finding 2022 ? 014: (continued) Type of Finding: Significant Deficiency, Noncompliance for Medicaid Cluster Material Weakness, Material Noncompliance for Other Programs Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget?s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse?s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2022 audit of the Commonwealth?s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth?s fiscal year ended June 30, 2021 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2022. We also evaluated the Commonwealth?s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies? tracking lists during the fiscal year ended June 30, 2022 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies? review of subrecipient audit reports: ? Department of Education (PDE): The time period for making a management decision on findings was approximately 6.5 to over 13 months after the FAC MDL start date for 14 out of 25 audit reports with findings. Three of the 14 audit reports were improperly classified on PDE?s audit tracking list as not having federal award findings. ? Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 16.2 months after the FAC MDL start date for one out of three audit reports with findings. In addition, our review disclosed that DEP subgranted federal funds totaling $10,338,570 to one subrecipient during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended due to the COVID-19 pandemic in accordance with the Office of Management and Budget?s (OMB) Memorandum M-21-20, Appendix 3. ? Department of Health (DOH): Our review disclosed that DOH subgranted federal funds totaling $8,103,407 to one subrecipient during the fiscal year ended September 30, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 12.5 months after the December 31, 2021 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. ? Department of Human Services (DHS): The time period for making a management decision on findings ranged from approximately 6.6 months to over 19.6 months after the FAC MDL start date for 12 out of 14 subrecipient audit reports with findings. There was also a delay in DHS?s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Finding 2022 ? 014: (continued) As a follow-up to the prior year finding, we noted that the Commonwealth subgranted federal funds totaling $327,988,063 to the City of Philadelphia during the fiscal year ended June 30, 2021, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 3.5 months after the September 30, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. Our testing disclosed that DHS?s subgrants to the City of Philadelphia were material for five of the 16 major programs/clusters with material subgranted funds. Our follow-up on the prior year finding also disclosed that the Commonwealth subgranted federal funds totaling $28,725,212 to Bucks County during the fiscal year ended December 31, 2020, for which a Single Audit was not submitted to the FAC as of our January 2023 testing date. This was over 9.5 months after the March 31, 2022 due date, which had been extended in accordance with OMB?s Memorandum M-21-20, Appendix 3. DHS was the lead agency for the City of Philadelphia and Bucks County audits. Criteria: 2 CFR ?200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ?200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in ?200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient?s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity?s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in ?200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR ?200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor?s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. Finding 2022 ? 014: (continued) 2 CFR ?200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR ?200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in ?200.339 [Remedies for noncompliance]. 2 CFR ?200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ?200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended ? Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program? (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: Finding 2022 ? 014: (continued) (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth?s reliance on an acceptable audit and prompt resolution as evidence of the recipient?s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended ? Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (1) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (6) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR ?200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended ? Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office?s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. The late management decision at DEP appeared to be the result of a subrecipient being treated as a contractor as described in current year Single Audit Finding #2022-005, despite having a subrecipient Single Audit requirement clause in its contract with DEP. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.8 in order to ensure compliance with federal audit submission requirements. Finding 2022 ? 014: (continued) Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. DOH Response: DOH agrees with the finding. DHS Response: While DHS agrees with this finding, we believe we are in compliance with 2 CFR ?200.339 and Commonwealth Management Directive 325.08 related to outstanding audits. We continue to work with counties and their independent auditors to obtain any late Single Audit reports, and albeit late, we do receive them which is the ultimate goal. Questioned Costs: The amount of questioned costs cannot be determined. The corrective action plan for this finding, if any, has not been reviewed by the auditors. See Corrective Action Plans located elsewhere in this Report.